From 03855d3df78b4a71b880a068939e8708b0315be9 Mon Sep 17 00:00:00 2001 From: Folker Bernitt Date: Wed, 24 Feb 2016 11:06:08 +0100 Subject: Recreate session on soledad problems - Issue #615 - invalid token raised by soledad after timeout, if we see this, recreate the session on next login --- .../test/unit/bitmask_libraries/test_session.py | 12 ++++++- service/test/unit/config/test_leap.py | 38 ++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 service/test/unit/config/test_leap.py (limited to 'service/test/unit') diff --git a/service/test/unit/bitmask_libraries/test_session.py b/service/test/unit/bitmask_libraries/test_session.py index a41cb805..aad2cac2 100644 --- a/service/test/unit/bitmask_libraries/test_session.py +++ b/service/test/unit/bitmask_libraries/test_session.py @@ -132,6 +132,16 @@ class SessionTest(AbstractLeapTest): self.assertTrue(session.fresh_account) + @patch('pixelated.bitmask_libraries.session.register') + def test_closed_session_not_reused(self, _): + session = self._create_session() + SessionCache.remember_session('somekey', session) + session._is_closed = True + + result = SessionCache.lookup_session('somekey') + + self.assertIsNone(result) + @patch('pixelated.bitmask_libraries.session.register') def test_session_does_not_set_status_fresh_for_unkown_emails(self, _): session = self._create_session() @@ -150,7 +160,7 @@ class SessionTest(AbstractLeapTest): with patch('pixelated.bitmask_libraries.session.reactor.callFromThread', new=_execute_func) as _: with patch.object(LeapSession, '_create_incoming_mail_fetcher', return_value=mailFetcherMock) as _: session = self._create_session() - session._has_been_synced = True + session._has_been_initially_synced = True yield session.initial_sync() self.assertFalse(mailFetcherMock.startService.called) diff --git a/service/test/unit/config/test_leap.py b/service/test/unit/config/test_leap.py new file mode 100644 index 00000000..6b34d717 --- /dev/null +++ b/service/test/unit/config/test_leap.py @@ -0,0 +1,38 @@ +from leap.soledad.common.errors import InvalidAuthTokenError +from mock import MagicMock, patch +from twisted.trial import unittest +from twisted.internet import defer +from pixelated.config.leap import authenticate_user + + +class TestAuth(unittest.TestCase): + + @patch('pixelated.config.leap.LeapSessionFactory') + @defer.inlineCallbacks + def test_authenticate_user_calls_initinal_sync(self, session_factory__ctor_mock): + session_factory_mock = session_factory__ctor_mock.return_value + provider_mock = MagicMock() + auth_mock = MagicMock() + session = MagicMock() + + session_factory_mock.create.return_value = session + + yield authenticate_user(provider_mock, 'username', 'password', auth=auth_mock) + + session.initial_sync.assert_called_with() + + @patch('pixelated.config.leap.LeapSessionFactory') + @defer.inlineCallbacks + def test_authenticate_user_calls_initial_sync_a_second_time_if_invalid_auth_exception_is_raised(self, session_factory__ctor_mock): + session_factory_mock = session_factory__ctor_mock.return_value + provider_mock = MagicMock() + auth_mock = MagicMock() + session = MagicMock() + + session.initial_sync.side_effect = [InvalidAuthTokenError, defer.succeed(None)] + session_factory_mock.create.return_value = session + + yield authenticate_user(provider_mock, 'username', 'password', auth=auth_mock) + + session.close.assert_called_with() + self.assertEqual(2, session.initial_sync.call_count) -- cgit v1.2.3 From 9573bdca55ddc5488066d3af525e41ed1d872ea6 Mon Sep 17 00:00:00 2001 From: NavaL Date: Wed, 24 Feb 2016 16:33:20 +0100 Subject: Backend and frontend protection against csrf attacks: - root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content Issue #612 --- service/test/unit/resources/test_root_resource.py | 82 ++++++++++++++++++++++- 1 file changed, 81 insertions(+), 1 deletion(-) (limited to 'service/test/unit') diff --git a/service/test/unit/resources/test_root_resource.py b/service/test/unit/resources/test_root_resource.py index 3b0846ee..53481f56 100644 --- a/service/test/unit/resources/test_root_resource.py +++ b/service/test/unit/resources/test_root_resource.py @@ -1,11 +1,13 @@ import unittest import re + +from mock import MagicMock, patch from mockito import mock, when, any as ANY from pixelated.application import UserAgentMode from test.unit.resources import DummySite from twisted.web.test.requesthelper import DummyRequest -from pixelated.resources.root_resource import RootResource +from pixelated.resources.root_resource import RootResource, MODE_STARTUP, MODE_RUNNING class TestRootResource(unittest.TestCase): @@ -25,9 +27,11 @@ class TestRootResource(unittest.TestCase): root_resource._html_template = "$account_email" root_resource._mode = root_resource self.web = DummySite(root_resource) + self.root_resource = root_resource def test_render_GET_should_template_account_email(self): request = DummyRequest(['']) + request.addCookie = lambda key, value: 'stubbed' d = self.web.get(request) @@ -38,3 +42,79 @@ class TestRootResource(unittest.TestCase): d.addCallback(assert_response) return d + + def _test_should_renew_xsrf_cookie(self): + request = DummyRequest(['']) + request.addCookie = MagicMock() + generated_csrf_token = 'csrf_token' + mock_sha = MagicMock() + mock_sha.hexdigest = MagicMock(return_value=generated_csrf_token) + + with patch('hashlib.sha256', return_value=mock_sha): + d = self.web.get(request) + + def assert_csrf_cookie(_): + request.addCookie.assert_called_once_with('XSRF-TOKEN', generated_csrf_token) + + d.addCallback(assert_csrf_cookie) + return d + + def test_should_renew_xsrf_cookie_on_startup_mode(self): + self.root_resource._mode = MODE_STARTUP + self._test_should_renew_xsrf_cookie() + + def test_should_renew_xsrf_cookie_on_running_mode(self): + self.root_resource._mode = MODE_RUNNING + self._test_should_renew_xsrf_cookie() + + def _mock_ajax_csrf(self, request, csrf_token): + request.headers['x-requested-with'] = 'XMLHttpRequest' + request.headers['x-xsrf-token'] = csrf_token + + def test_should_unauthorize_child_resource_ajax_requests_when_csrf_mismatch(self): + request = DummyRequest(['/child']) + self._mock_ajax_csrf(request, 'stubbed csrf token') + + request.getCookie = MagicMock(return_value='mismatched csrf token') + + d = self.web.get(request) + + def assert_unauthorized(_): + self.assertEqual(401, request.responseCode) + self.assertEqual("Unauthorized!", request.written[0]) + + d.addCallback(assert_unauthorized) + return d + + def test_should_authorize_child_resource_non_ajax_GET_requests(self): + request = DummyRequest(['features']) + + request.getCookie = MagicMock(return_value='irrelevant -- stubbed') + self.root_resource.initialize() + + d = self.web.get(request) + + def assert_unauthorized(_): + self.assertEqual(200, request.code) + + d.addCallback(assert_unauthorized) + return d + + def test_should_unauthorize_child_resource_non_ajax_POST_requests_when_csrf_input_mismatch(self): + request = DummyRequest(['mails']) + request.method = 'POST' + request.addArg('csrftoken', 'some csrf token') + mock_content = MagicMock() + mock_content.read = MagicMock(return_value={}) + request.content = mock_content + + request.getCookie = MagicMock(return_value='mismatched csrf token') + + d = self.web.get(request) + + def assert_unauthorized(_): + self.assertEqual(401, request.responseCode) + self.assertEqual("Unauthorized!", request.written[0]) + + d.addCallback(assert_unauthorized) + return d -- cgit v1.2.3 From 1e1668f98afd04e2da7c779a825e6d28e777fec7 Mon Sep 17 00:00:00 2001 From: NavaL Date: Thu, 25 Feb 2016 09:16:28 +0100 Subject: changed logout to post Issue #612 --- service/test/unit/resources/test_logout_resources.py | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'service/test/unit') diff --git a/service/test/unit/resources/test_logout_resources.py b/service/test/unit/resources/test_logout_resources.py index 48cf9db9..6246eeb9 100644 --- a/service/test/unit/resources/test_logout_resources.py +++ b/service/test/unit/resources/test_logout_resources.py @@ -1,6 +1,7 @@ from mock import patch from mockito import mock, verify from twisted.trial import unittest +from twisted.web.error import UnsupportedMethod from twisted.web.test.requesthelper import DummyRequest from pixelated.resources.logout_resource import LogoutResource @@ -16,6 +17,7 @@ class TestLogoutResource(unittest.TestCase): @patch('twisted.web.util.redirectTo') def test_logout(self, mock_redirect): request = DummyRequest(['/logout']) + request.method = 'POST' mock_redirect.return_value = 'haha' @@ -29,3 +31,9 @@ class TestLogoutResource(unittest.TestCase): d.addCallback(expire_session_and_redirect) return d + + def test_get_is_not_supported_for_logout(self): + request = DummyRequest(['/logout']) + request.method = 'GET' + + self.assertRaises(UnsupportedMethod, self.web.get, request) -- cgit v1.2.3 From 1e6518dd6577bf0dbec359fd4c1aec12ed6f2a64 Mon Sep 17 00:00:00 2001 From: NavaL Date: Thu, 25 Feb 2016 12:18:31 +0100 Subject: only adding feature resource in root_resource test -- fixing build Issue #612 --- service/test/unit/resources/test_root_resource.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'service/test/unit') diff --git a/service/test/unit/resources/test_root_resource.py b/service/test/unit/resources/test_root_resource.py index 53481f56..cc052d8b 100644 --- a/service/test/unit/resources/test_root_resource.py +++ b/service/test/unit/resources/test_root_resource.py @@ -5,6 +5,7 @@ from mock import MagicMock, patch from mockito import mock, when, any as ANY from pixelated.application import UserAgentMode +from pixelated.resources.features_resource import FeaturesResource from test.unit.resources import DummySite from twisted.web.test.requesthelper import DummyRequest from pixelated.resources.root_resource import RootResource, MODE_STARTUP, MODE_RUNNING @@ -90,7 +91,7 @@ class TestRootResource(unittest.TestCase): request = DummyRequest(['features']) request.getCookie = MagicMock(return_value='irrelevant -- stubbed') - self.root_resource.initialize() + self.root_resource._child_resources.add('features', FeaturesResource()) d = self.web.get(request) -- cgit v1.2.3