From f0880aff32bbb30c6a8a0d4e078e563d24b97909 Mon Sep 17 00:00:00 2001 From: Roald de Vries Date: Thu, 1 Dec 2016 15:56:57 +0100 Subject: fix csrf for some integration tests --- service/test/integration/test_delete_mail.py | 12 +++++++----- service/test/integration/test_logout.py | 4 ++-- service/test/integration/test_multi_user_login.py | 8 +++++--- service/test/integration/test_users_count.py | 5 +++-- service/test/support/integration/app_test_client.py | 19 +++++++++++++------ .../test/support/integration/multi_user_client.py | 21 +++++++++------------ 6 files changed, 39 insertions(+), 30 deletions(-) (limited to 'service') diff --git a/service/test/integration/test_delete_mail.py b/service/test/integration/test_delete_mail.py index 6cb9ceb6..34ea5048 100644 --- a/service/test/integration/test_delete_mail.py +++ b/service/test/integration/test_delete_mail.py @@ -29,8 +29,7 @@ class DeleteMailTest(SoledadTestBase): self.assertEquals(1, len(inbox_mails)) response, first_request = yield self.app_test_client.get('/', as_json=False) - csrftoken = IPixelatedSession(first_request.getSession()).get_csrf_token() - yield self.app_test_client.delete_mail(mail.mail_id, csrf=csrftoken) + yield self.app_test_client.delete_mail(mail.mail_id, session=first_request.getSession()) inbox_mails = yield self.app_test_client.get_mails_by_tag('inbox') self.assertEquals(0, len(inbox_mails)) @@ -40,7 +39,8 @@ class DeleteMailTest(SoledadTestBase): @defer.inlineCallbacks def test_delete_mail_when_trashing_mail_from_trash_mailbox(self): mails = yield self.app_test_client.add_multiple_to_mailbox(1, 'trash') - yield self.app_test_client.delete_mails([mails[0].ident]) + response, first_request = yield self.app_test_client.get('/', as_json=False) + yield self.app_test_client.delete_mails([mails[0].ident], session=first_request.getSession()) trash_mails = yield self.app_test_client.get_mails_by_tag('trash') @@ -52,7 +52,8 @@ class DeleteMailTest(SoledadTestBase): mails = yield self.app_test_client.add_multiple_to_mailbox(5, 'inbox') mail_idents = [m.ident for m in mails] - yield self.app_test_client.delete_mails(mail_idents) + response, first_request = yield self.app_test_client.get('/', as_json=False) + yield self.app_test_client.delete_mails(mail_idents, session=first_request.getSession()) inbox = yield self.app_test_client.get_mails_by_tag('inbox') self.assertEquals(0, len(inbox)) @@ -62,7 +63,8 @@ class DeleteMailTest(SoledadTestBase): mails = yield self.app_test_client.add_multiple_to_mailbox(5, 'trash') mail_idents = [m.ident for m in mails] - yield self.app_test_client.delete_mails(mail_idents) + response, first_request = yield self.app_test_client.get('/', as_json=False) + yield self.app_test_client.delete_mails(mail_idents, session=first_request.getSession()) trash = yield self.app_test_client.get_mails_by_tag('trash') self.assertEquals(0, len(trash)) diff --git a/service/test/integration/test_logout.py b/service/test/integration/test_logout.py index b4f8ebf3..92c2afe5 100644 --- a/service/test/integration/test_logout.py +++ b/service/test/integration/test_logout.py @@ -30,7 +30,7 @@ class MultiUserLogoutTest(MultiUserSoledadTestBase): @defer.inlineCallbacks def test_logout_deletes_services_stop_background_reactor_tasks_and_closes_soledad(self): response, first_request = yield self.app_test_client.get('/login', as_json=False) - response, login_request = yield self.app_test_client.login(from_request=first_request) + response, login_request = yield self.app_test_client.login(session=first_request.getSession()) yield response yield self.wait_for_session_user_id_to_finish() @@ -39,7 +39,7 @@ class MultiUserLogoutTest(MultiUserSoledadTestBase): "/logout", json.dumps({'csrftoken': [login_request.getCookie('XSRF-TOKEN')]}), ajax=False, - from_request=login_request, + session=login_request.getSession(), as_json=False) yield response diff --git a/service/test/integration/test_multi_user_login.py b/service/test/integration/test_multi_user_login.py index af2a81ac..e1f58202 100644 --- a/service/test/integration/test_multi_user_login.py +++ b/service/test/integration/test_multi_user_login.py @@ -33,13 +33,14 @@ class MultiUserLoginTest(MultiUserSoledadTestBase): @defer.inlineCallbacks def test_logged_in_users_sees_resources(self): - response, login_request = yield self.app_test_client.login() + response, first_request = yield self.app_test_client.get('/login', as_json=False) + response, login_request = yield self.app_test_client.login(session=first_request.getSession()) yield response mail = load_mail_from_file('mbox00000000') mail_id = yield self._create_mail_in_soledad(mail) expected_mail_dict = {'body': u'Dignissimos ducimus veritatis. Est tenetur consequatur quia occaecati. Vel sit sit voluptas.\n\nEarum distinctio eos. Accusantium qui sint ut quia assumenda. Facere dignissimos inventore autem sit amet. Pariatur voluptatem sint est.\n\nUt recusandae praesentium aspernatur. Exercitationem amet placeat deserunt quae consequatur eum. Unde doloremque suscipit quia.\n\n', 'header': {u'date': u'Tue, 21 Apr 2015 08:43:27 +0000 (UTC)', u'to': [u'carmel@murazikortiz.name'], u'x-tw-pixelated-tags': u'nite, macro, trash', u'from': u'darby.senger@zemlak.biz', u'subject': u'Itaque consequatur repellendus provident sunt quia.'}, 'ident': mail_id, 'status': [], 'tags': [], 'textPlainBody': u'Dignissimos ducimus veritatis. Est tenetur consequatur quia occaecati. Vel sit sit voluptas.\n\nEarum distinctio eos. Accusantium qui sint ut quia assumenda. Facere dignissimos inventore autem sit amet. Pariatur voluptatem sint est.\n\nUt recusandae praesentium aspernatur. Exercitationem amet placeat deserunt quae consequatur eum. Unde doloremque suscipit quia.\n\n', 'mailbox': u'inbox', 'attachments': [], 'security_casing': {'imprints': [{'state': 'no_signature_information'}], 'locks': []}} - response, request = self.app_test_client.get("/mail/%s" % mail_id, from_request=login_request) + response, request = self.app_test_client.get("/mail/%s" % mail_id, session=login_request.getSession()) response = yield response self.assertEqual(200, request.code) @@ -48,7 +49,8 @@ class MultiUserLoginTest(MultiUserSoledadTestBase): @defer.inlineCallbacks def test_wrong_credentials_cannot_access_resources(self): - response, login_request = self.app_test_client.login('username', 'wrong_password') + response, first_request = yield self.app_test_client.get('/login', as_json=False) + response, login_request = self.app_test_client.login('username', 'wrong_password', session=first_request.getSession()) response_str = yield response self.assertEqual(401, login_request.responseCode) self.assertIn('Invalid credentials', login_request.written) diff --git a/service/test/integration/test_users_count.py b/service/test/integration/test_users_count.py index a03adacf..a9813b2c 100644 --- a/service/test/integration/test_users_count.py +++ b/service/test/integration/test_users_count.py @@ -31,7 +31,8 @@ class UsersResourceTest(MultiUserSoledadTestBase): @defer.inlineCallbacks def test_online_users_count_uses_leap_auth_privileges(self): - response, login_request = yield self.app_test_client.login() + response, first_request = yield self.app_test_client.get('/', as_json=False) + response, login_request = yield self.app_test_client.login(session=first_request.getSession()) yield response yield self.wait_for_session_user_id_to_finish() @@ -40,7 +41,7 @@ class UsersResourceTest(MultiUserSoledadTestBase): response, request = self.app_test_client.get( "/users", json.dumps({'csrftoken': [login_request.getCookie('XSRF-TOKEN')]}), - from_request=login_request, + session=login_request.getSession(), as_json=False) yield response diff --git a/service/test/support/integration/app_test_client.py b/service/test/support/integration/app_test_client.py index ee5a1df2..9ab74261 100644 --- a/service/test/support/integration/app_test_client.py +++ b/service/test/support/integration/app_test_client.py @@ -49,6 +49,7 @@ from pixelated.adapter.search import SearchEngine from pixelated.adapter.services.draft_service import DraftService from pixelated.adapter.services.mail_service import MailService from pixelated.resources.root_resource import RootResource +from pixelated.resources.session import IPixelatedSession from test.support.integration.model import MailBuilder from test.support.test_helper import request_mock from test.support.integration.model import ResponseMail @@ -278,17 +279,21 @@ class AppTestClient(object): request.args = get_args return self._render(request, as_json) - def post(self, path, body='', headers=None, ajax=True, csrf='token'): + def post(self, path, body='', headers=None, ajax=True, csrf='token', session=None): headers = headers or {'Content-Type': 'application/json'} request = request_mock(path=path, method="POST", body=body, headers=headers, ajax=ajax, csrf=csrf) + if session: + request.session = session return self._render(request) def put(self, path, body, ajax=True, csrf='token'): request = request_mock(path=path, method="PUT", body=body, headers={'Content-Type': ['application/json']}, ajax=ajax, csrf=csrf) return self._render(request) - def delete(self, path, body="", ajax=True, csrf='token'): + def delete(self, path, body="", ajax=True, csrf='token', session=None): request = request_mock(path=path, body=body, headers={'Content-Type': ['application/json']}, method="DELETE", ajax=ajax, csrf=csrf) + if session: + request.session = session return self._render(request) @defer.inlineCallbacks @@ -387,12 +392,14 @@ class AppTestClient(object): return res # TODO: remove - def delete_mail(self, mail_ident, csrf='token'): - res, req = self.delete("/mail/%s" % mail_ident, csrf=csrf) + def delete_mail(self, mail_ident, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.delete("/mail/%s" % mail_ident, csrf=csrf, session=session) return res - def delete_mails(self, idents): - res, req = self.post("/mails/delete", json.dumps({'idents': idents})) + def delete_mails(self, idents, session): + csrf = IPixelatedSession(session).get_csrf_token() + res, req = self.post("/mails/delete", json.dumps({'idents': idents}), csrf=csrf, session=session) return res def mark_many_as_unread(self, idents): diff --git a/service/test/support/integration/multi_user_client.py b/service/test/support/integration/multi_user_client.py index fe8595fb..4b9b2864 100644 --- a/service/test/support/integration/multi_user_client.py +++ b/service/test/support/integration/multi_user_client.py @@ -58,44 +58,41 @@ class MultiUserClient(AppTestClient): else: when(Authenticator)._bonafide_auth(username, password).thenRaise(SRPAuthError) - def login(self, username='username', password='password', from_request=None): - session = Authentication(username, 'some_user_token', 'some_user_uuid', 'session_id', {'is_admin': False}) + def login(self, username='username', password='password', session=None): + auth_session = Authentication(username, 'some_user_token', 'some_user_uuid', 'session_id', {'is_admin': False}) leap_session = self._test_account.leap_session - leap_session.user_auth = session + leap_session.user_auth = auth_session config = mock() config.leap_home = 'some_folder' leap_session.config = config leap_session.fresh_account = False self.leap_session = leap_session self.services = self._test_account.services - self.user_auth = session + self.user_auth = auth_session self._mock_bonafide_auth(username, password) - when(LeapSessionFactory).create(username, password, session).thenReturn(leap_session) + when(LeapSessionFactory).create(username, password, auth_session).thenReturn(leap_session) with patch('mockito.invocation.AnswerSelector', AnswerSelector): when(leap_session).initial_sync().thenAnswer(lambda: defer.succeed(None)) when(pixelated.config.services).Services(ANY()).thenReturn(self.services) - session = from_request.getSession() csrftoken = IPixelatedSession(session).get_csrf_token() request = request_mock(path='/login', method="POST", body={'username': username, 'password': password, 'csrftoken': csrftoken}, ajax=False) request.session = session return self._render(request, as_json=False) - def get(self, path, get_args='', as_json=True, from_request=None): + def get(self, path, get_args='', as_json=True, session=None): request = request_mock(path) request.args = get_args - if from_request: - session = from_request.getSession() + if session: request.session = session return self._render(request, as_json) - def post(self, path, body='', headers=None, ajax=True, csrf='token', as_json=True, from_request=None): + def post(self, path, body='', headers=None, ajax=True, csrf='token', as_json=True, session=None): headers = headers or {'Content-Type': 'application/json'} request = request_mock(path=path, method="POST", body=body, headers=headers, ajax=ajax, csrf=csrf) - if from_request: - session = from_request.getSession() + if session: request.session = session return self._render(request, as_json) -- cgit v1.2.3