pytask: parts/django/tests/regressiontests/csrf_tests/tests.py@8fcde6f8f750 (annotated)

307 c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	1	# -- coding: utf-8 --
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	2
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	3	from django.test import TestCase
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	4	from django.http import HttpRequest, HttpResponse
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	5	from django.middleware.csrf import CsrfMiddleware, CsrfViewMiddleware
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	6	from django.views.decorators.csrf import csrf_exempt, csrf_view_exempt, requires_csrf_token
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	7	from django.core.context_processors import csrf
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	8	from django.contrib.sessions.middleware import SessionMiddleware
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	9	from django.utils.importlib import import_module
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	10	from django.conf import settings
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	11	from django.template import RequestContext, Template
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	12
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	13	# Response/views used for CsrfResponseMiddleware and CsrfViewMiddleware tests
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	14	def post_form_response():
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	15	resp = HttpResponse(content=u"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	16	<html><body><h1>\u00a1Unicode!<form method="post"><input type="text" /></form></body></html>
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	17	""", mimetype="text/html")
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	18	return resp
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	19
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	20	def post_form_response_non_html():
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	21	resp = post_form_response()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	22	resp["Content-Type"] = "application/xml"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	23	return resp
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	24
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	25	def post_form_view(request):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	26	"""A view that returns a POST form (without a token)"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	27	return post_form_response()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	28
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	29	# Response/views used for template tag tests
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	30	def _token_template():
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	31	return Template("{% csrf_token %}")
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	32
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	33	def _render_csrf_token_template(req):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	34	context = RequestContext(req, processors=[csrf])
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	35	template = _token_template()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	36	return template.render(context)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	37
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	38	def token_view(request):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	39	"""A view that uses {% csrf_token %}"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	40	return HttpResponse(_render_csrf_token_template(request))
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	41
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	42	def non_token_view_using_request_processor(request):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	43	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	44	A view that doesn't use the token, but does use the csrf view processor.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	45	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	46	context = RequestContext(request, processors=[csrf])
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	47	template = Template("")
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	48	return HttpResponse(template.render(context))
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	49
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	50	class TestingHttpRequest(HttpRequest):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	51	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	52	A version of HttpRequest that allows us to change some things
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	53	more easily
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	54	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	55	def is_secure(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	56	return getattr(self, '_is_secure', False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	57
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	58	class CsrfMiddlewareTest(TestCase):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	59	# The csrf token is potentially from an untrusted source, so could have
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	60	# characters that need dealing with.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	61	_csrf_id_cookie = "<1>\xc2\xa1"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	62	_csrf_id = "1"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	63
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	64	# This is a valid session token for this ID and secret key. This was generated using
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	65	# the old code that we're to be backwards-compatible with. Don't use the CSRF code
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	66	# to generate this hash, or we're merely testing the code against itself and not
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	67	# checking backwards-compatibility. This is also the output of (echo -n test1 \| md5sum).
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	68	_session_token = "5a105e8b9d40e1329780d62ea2265d8a"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	69	_session_id = "1"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	70	_secret_key_for_session_test= "test"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	71
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	72	def _get_GET_no_csrf_cookie_request(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	73	return TestingHttpRequest()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	74
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	75	def _get_GET_csrf_cookie_request(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	76	req = TestingHttpRequest()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	77	req.COOKIES[settings.CSRF_COOKIE_NAME] = self._csrf_id_cookie
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	78	return req
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	79
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	80	def _get_POST_csrf_cookie_request(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	81	req = self._get_GET_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	82	req.method = "POST"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	83	return req
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	84
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	85	def _get_POST_no_csrf_cookie_request(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	86	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	87	req.method = "POST"
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	88	return req
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	89
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	90	def _get_POST_request_with_token(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	91	req = self._get_POST_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	92	req.POST['csrfmiddlewaretoken'] = self._csrf_id
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	93	return req
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	94
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	95	def _get_POST_session_request_with_token(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	96	req = self._get_POST_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	97	req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	98	req.POST['csrfmiddlewaretoken'] = self._session_token
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	99	return req
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	100
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	101	def _get_POST_session_request_no_token(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	102	req = self._get_POST_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	103	req.COOKIES[settings.SESSION_COOKIE_NAME] = self._session_id
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	104	return req
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	105
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	106	def _check_token_present(self, response, csrf_id=None):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	107	self.assertContains(response, "name='csrfmiddlewaretoken' value='%s'" % (csrf_id or self._csrf_id))
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	108
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	109	# Check the post processing and outgoing cookie
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	110	def test_process_response_no_csrf_cookie(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	111	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	112	When no prior CSRF cookie exists, check that the cookie is created and a
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	113	token is inserted.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	114	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	115	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	116	CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	117
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	118	resp = post_form_response()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	119	resp_content = resp.content # needed because process_response modifies resp
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	120	resp2 = CsrfMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	121
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	122	csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	123	self.assertNotEqual(csrf_cookie, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	124	self.assertNotEqual(resp_content, resp2.content)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	125	self._check_token_present(resp2, csrf_cookie.value)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	126	# Check the Vary header got patched correctly
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	127	self.assert_('Cookie' in resp2.get('Vary',''))
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	128
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	129	def test_process_response_for_exempt_view(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	130	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	131	Check that a view decorated with 'csrf_view_exempt' is still
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	132	post-processed to add the CSRF token.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	133	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	134	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	135	CsrfMiddleware().process_view(req, csrf_view_exempt(post_form_view), (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	136
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	137	resp = post_form_response()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	138	resp_content = resp.content # needed because process_response modifies resp
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	139	resp2 = CsrfMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	140
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	141	csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	142	self.assertNotEqual(csrf_cookie, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	143	self.assertNotEqual(resp_content, resp2.content)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	144	self._check_token_present(resp2, csrf_cookie.value)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	145
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	146	def test_process_response_no_csrf_cookie_view_only_get_token_used(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	147	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	148	When no prior CSRF cookie exists, check that the cookie is created, even
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	149	if only CsrfViewMiddleware is used.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	150	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	151	# This is checking that CsrfViewMiddleware has the cookie setting
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	152	# code. Most of the other tests use CsrfMiddleware.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	153	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	154	# token_view calls get_token() indirectly
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	155	CsrfViewMiddleware().process_view(req, token_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	156	resp = token_view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	157	resp2 = CsrfViewMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	158
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	159	csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	160	self.assertNotEqual(csrf_cookie, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	161
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	162	def test_process_response_get_token_not_used(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	163	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	164	Check that if get_token() is not called, the view middleware does not
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	165	add a cookie.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	166	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	167	# This is important to make pages cacheable. Pages which do call
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	168	# get_token(), assuming they use the token, are not cacheable because
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	169	# the token is specific to the user
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	170	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	171	# non_token_view_using_request_processor does not call get_token(), but
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	172	# does use the csrf request processor. By using this, we are testing
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	173	# that the view processor is properly lazy and doesn't call get_token()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	174	# until needed.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	175	CsrfViewMiddleware().process_view(req, non_token_view_using_request_processor, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	176	resp = non_token_view_using_request_processor(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	177	resp2 = CsrfViewMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	178
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	179	csrf_cookie = resp2.cookies.get(settings.CSRF_COOKIE_NAME, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	180	self.assertEqual(csrf_cookie, False)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	181
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	182	def test_process_response_existing_csrf_cookie(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	183	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	184	Check that the token is inserted when a prior CSRF cookie exists
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	185	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	186	req = self._get_GET_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	187	CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	188
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	189	resp = post_form_response()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	190	resp_content = resp.content # needed because process_response modifies resp
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	191	resp2 = CsrfMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	192	self.assertNotEqual(resp_content, resp2.content)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	193	self._check_token_present(resp2)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	194
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	195	def test_process_response_non_html(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	196	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	197	Check the the post-processor does nothing for content-types not in _HTML_TYPES.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	198	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	199	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	200	CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	201	resp = post_form_response_non_html()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	202	resp_content = resp.content # needed because process_response modifies resp
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	203	resp2 = CsrfMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	204	self.assertEquals(resp_content, resp2.content)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	205
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	206	def test_process_response_exempt_view(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	207	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	208	Check that no post processing is done for an exempt view
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	209	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	210	req = self._get_GET_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	211	view = csrf_exempt(post_form_view)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	212	CsrfMiddleware().process_view(req, view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	213
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	214	resp = view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	215	resp_content = resp.content
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	216	resp2 = CsrfMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	217	self.assertEquals(resp_content, resp2.content)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	218
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	219	# Check the request processing
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	220	def test_process_request_no_session_no_csrf_cookie(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	221	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	222	Check that if neither a CSRF cookie nor a session cookie are present,
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	223	the middleware rejects the incoming request. This will stop login CSRF.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	224	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	225	req = self._get_POST_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	226	req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	227	self.assertEquals(403, req2.status_code)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	228
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	229	def test_process_request_csrf_cookie_no_token(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	230	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	231	Check that if a CSRF cookie is present but no token, the middleware
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	232	rejects the incoming request.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	233	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	234	req = self._get_POST_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	235	req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	236	self.assertEquals(403, req2.status_code)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	237
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	238	def test_process_request_csrf_cookie_and_token(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	239	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	240	Check that if both a cookie and a token is present, the middleware lets it through.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	241	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	242	req = self._get_POST_request_with_token()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	243	req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	244	self.assertEquals(None, req2)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	245
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	246	def test_process_request_session_cookie_no_csrf_cookie_token(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	247	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	248	When no CSRF cookie exists, but the user has a session, check that a token
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	249	using the session cookie as a legacy CSRF cookie is accepted.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	250	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	251	orig_secret_key = settings.SECRET_KEY
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	252	settings.SECRET_KEY = self._secret_key_for_session_test
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	253	try:
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	254	req = self._get_POST_session_request_with_token()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	255	req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	256	self.assertEquals(None, req2)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	257	finally:
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	258	settings.SECRET_KEY = orig_secret_key
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	259
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	260	def test_process_request_session_cookie_no_csrf_cookie_no_token(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	261	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	262	Check that if a session cookie is present but no token and no CSRF cookie,
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	263	the request is rejected.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	264	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	265	req = self._get_POST_session_request_no_token()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	266	req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	267	self.assertEquals(403, req2.status_code)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	268
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	269	def test_process_request_csrf_cookie_no_token_exempt_view(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	270	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	271	Check that if a CSRF cookie is present and no token, but the csrf_exempt
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	272	decorator has been applied to the view, the middleware lets it through
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	273	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	274	req = self._get_POST_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	275	req2 = CsrfMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	276	self.assertEquals(None, req2)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	277
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	278	def test_ajax_exemption(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	279	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	280	Check that AJAX requests are automatically exempted.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	281	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	282	req = self._get_POST_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	283	req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	284	req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	285	self.assertEquals(None, req2)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	286
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	287	# Tests for the template tag method
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	288	def test_token_node_no_csrf_cookie(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	289	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	290	Check that CsrfTokenNode works when no CSRF cookie is set
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	291	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	292	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	293	resp = token_view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	294	self.assertEquals(u"", resp.content)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	295
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	296	def test_token_node_empty_csrf_cookie(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	297	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	298	Check that we get a new token if the csrf_cookie is the empty string
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	299	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	300	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	301	req.COOKIES[settings.CSRF_COOKIE_NAME] = ""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	302	CsrfViewMiddleware().process_view(req, token_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	303	resp = token_view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	304
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	305	self.assertNotEqual(u"", resp.content)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	306
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	307	def test_token_node_with_csrf_cookie(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	308	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	309	Check that CsrfTokenNode works when a CSRF cookie is set
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	310	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	311	req = self._get_GET_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	312	CsrfViewMiddleware().process_view(req, token_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	313	resp = token_view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	314	self._check_token_present(resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	315
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	316	def test_get_token_for_exempt_view(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	317	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	318	Check that get_token still works for a view decorated with 'csrf_view_exempt'.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	319	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	320	req = self._get_GET_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	321	CsrfViewMiddleware().process_view(req, csrf_view_exempt(token_view), (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	322	resp = token_view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	323	self._check_token_present(resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	324
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	325	def test_get_token_for_requires_csrf_token_view(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	326	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	327	Check that get_token works for a view decorated solely with requires_csrf_token
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	328	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	329	req = self._get_GET_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	330	resp = requires_csrf_token(token_view)(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	331	self._check_token_present(resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	332
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	333	def test_token_node_with_new_csrf_cookie(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	334	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	335	Check that CsrfTokenNode works when a CSRF cookie is created by
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	336	the middleware (when one was not already present)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	337	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	338	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	339	CsrfViewMiddleware().process_view(req, token_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	340	resp = token_view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	341	resp2 = CsrfViewMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	342	csrf_cookie = resp2.cookies[settings.CSRF_COOKIE_NAME]
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	343	self._check_token_present(resp, csrf_id=csrf_cookie.value)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	344
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	345	def test_response_middleware_without_view_middleware(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	346	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	347	Check that CsrfResponseMiddleware finishes without error if the view middleware
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	348	has not been called, as is the case if a request middleware returns a response.
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	349	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	350	req = self._get_GET_no_csrf_cookie_request()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	351	resp = post_form_view(req)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	352	CsrfMiddleware().process_response(req, resp)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	353
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	354	def test_https_bad_referer(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	355	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	356	Test that a POST HTTPS request with a bad referer is rejected
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	357	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	358	req = self._get_POST_request_with_token()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	359	req._is_secure = True
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	360	req.META['HTTP_HOST'] = 'www.example.com'
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	361	req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage'
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	362	req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	363	self.assertNotEqual(None, req2)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	364	self.assertEquals(403, req2.status_code)
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	365
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	366	def test_https_good_referer(self):
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	367	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	368	Test that a POST HTTPS request with a good referer is accepted
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	369	"""
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	370	req = self._get_POST_request_with_token()
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	371	req._is_secure = True
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	372	req.META['HTTP_HOST'] = 'www.example.com'
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	373	req.META['HTTP_REFERER'] = 'https://www.example.com/somepage'
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	374	req2 = CsrfViewMiddleware().process_view(req, post_form_view, (), {})
c6bca38c1cbf Added buildout stuff and made changes accordingly Nishanth Amuluru <nishanth@fossee.in> parents: diff changeset	375	self.assertEquals(None, req2)

author	Nishanth Amuluru <nishanth@fossee.in>
	Tue, 11 Jan 2011 12:30:10 +0530
changeset 378	8fcde6f8f750
parent 307	c6bca38c1cbf
permissions	-rw-r--r--