def test_shot_set_expiration_with_valid_csrftoken_ok(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") user.set_expiration(shot_url, 290) # reads and uses csrf token from shot page user.delete_shot(shot_url) # cleanup
def test_jpeg_upload(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="TEST_JPEG", image_content_type="image/jpeg", image_index=0) shot_page = user.read_shot(shot_url) assert shot_page["clip_content_type"] == "image/jpeg"
def test_disconnect_device_with_invalid_csrftoken_fails(): with screenshots_session() as user: resp = user.session.post( urljoin(user.backend, '/api/disconnect-device/'), {"_csrf": "bad-token"}) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token
def test_edit_to_set_invalid_clip_image_url_fails(): with screenshots_session() as user: shot_id = make_random_id() + "/test.com" shot_url = urljoin(user.backend, shot_id) shot_data = urljoin(user.backend, "data/" + shot_id) shot_json = make_example_shot(user.deviceId) invalid_url = "https://example.com/?aaA=bbb=\"); background-color: red;" # save a shot resp = user.session.put( shot_data, json=shot_json, ) assert resp.status_code == 200 csrf = user.read_shot(shot_url)['csrf'] # don't allow editing to set an invalid shot image url resp = user.session.post( urljoin(user.backend, "/api/save-edit"), { "shotId": shot_id, "url": invalid_url, "_csrf": csrf }, ) print(resp.text) assert resp.status_code == 400 user.delete_shot(shot_url)
def test_login_wrong_secret(): with screenshots_session() as user: resp = requests.post( urljoin(user.backend, "/api/login"), data=dict(deviceId=user.deviceId, secret="wrong_secret", deviceInfo=json.dumps(user.deviceInfo))) print(resp.text, resp.status_code) assert resp.status_code == 404
def test_login_invalid_json_deviceinfo(): with screenshots_session() as user: resp = requests.post( urljoin(user.backend, "/api/login"), data=dict(deviceId=user.deviceId, secret=user.secret, deviceInfo="}")) print(resp.text, resp.status_code) assert resp.status_code == 200
def test_my_shots_page(): with screenshots_session() as user: user.read_my_shots() # e.g. direct navigation to /shots in private window unauthed_user = ScreenshotsClient() response = unauthed_user.get_uri("/shots") response.raise_for_status()
def test_login_wrong_secret(): with screenshots_session() as user: resp = requests.post( urljoin(user.backend, "/api/login"), data=dict(deviceId=user.deviceId, secret="wrong_secret", deviceInfo=json.dumps(user.deviceInfo))) print(resp.text, resp.status_code) assert resp.status_code == 404
def test_my_shots_page(): with screenshots_session() as user: user.read_my_shots() # e.g. direct navigation to /shots in private window unauthed_user = ScreenshotsClient() response = unauthed_user.get_uri("/shots") response.raise_for_status()
def test_login_missing_deviceid(): with screenshots_session() as user: resp = requests.post( urljoin(user.backend, "/api/login"), data=dict(secret=user.secret, deviceInfo=json.dumps(user.deviceInfo))) print(resp.text, resp.status_code) assert resp.status_code == 404 # no such user
def test_login_invalid_json_deviceinfo(): with screenshots_session() as user: resp = requests.post( urljoin(user.backend, "/api/login"), data=dict(deviceId=user.deviceId, secret=user.secret, deviceInfo="}")) print(resp.text, resp.status_code) assert resp.status_code == 200
def test_login_missing_deviceid(): with screenshots_session() as user: resp = requests.post( urljoin(user.backend, "/api/login"), data=dict(secret=user.secret, deviceInfo=json.dumps(user.deviceInfo))) print(resp.text, resp.status_code) assert resp.status_code == 404 # no such user
def test_get_shot_sets_csrf_cookie(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0) shot_id = urlsplit(shot_url).path.strip("/") user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2", image_index=1) resp = user.session.get(shot_url) resp.raise_for_status() assert_httponly_csrf_cookie(user.session)
def test_delete_shot_without_csrftoken_fails(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_id = user._get_id_from_url(shot_url) resp = user.session.post(urljoin(user.backend, "/api/delete-shot"), {"id": shot_id}) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token user.delete_shot(shot_url) # cleanup
def test_login(): with screenshots_session() as user: resp = requests.post(urljoin(user.backend, "/api/login"), data=dict(deviceId=user.deviceId, secret=user.secret, deviceInfo=json.dumps(user.deviceInfo), ownershipCheck="fooo")) print(resp.text, resp.status_code) assert resp.status_code == 200
def test_disconnect_device_with_valid_csrftoken_ok(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") csrf = user.read_shot(shot_url)["csrf"] resp = user.session.post( urljoin(user.backend, '/api/disconnect-device/'), {"_csrf": csrf}) print(resp.text) assert resp.status_code == 200 # ok? user.delete_shot(shot_url) # cleanup
def test_login(): with screenshots_session() as user: resp = requests.post( urljoin(user.backend, "/api/login"), data=dict(deviceId=user.deviceId, secret=user.secret, deviceInfo=json.dumps(user.deviceInfo), ownershipCheck="fooo")) print(resp.text, resp.status_code) assert resp.status_code == 200
def test_shot_set_title_with_invalid_csrftoken_fails(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_id = user._get_id_from_url(shot_url) resp = user.session.post( urljoin(urljoin(user.backend, "/api/set-title/"), shot_id), {"id": shot_id, "title": "new title", "_csrf": "bad-csrf-token"}) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token user.delete_shot(shot_url) # cleanup
def test_shot_set_expiration_with_invalid_csrftoken_fails(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_id = user._get_id_from_url(shot_url) resp = user.session.post( urljoin(user.backend, "/api/set-expiration"), {"id": shot_id, "expiration": "60", "_csrf": "bad-csrf-token"}) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token user.delete_shot(shot_url) # cleanup
def test_leave_screenshots_without_csrftoken_fails(): with screenshots_session() as user: leave_resp = user.session.get(user.backend + "/leave-screenshots/") assert leave_resp.status_code == 200 assert_httponly_csrf_cookie(user.session) resp = user.session.post( urljoin(user.backend, "/leave-screenshots/leave")) print(resp.text) assert resp.status_code == 403
def test_shot_set_title_without_csrftoken_fails(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_id = user._get_id_from_url(shot_url) resp = user.session.post( urljoin(urljoin(user.backend, "/api/set-title/"), shot_id), {"id": shot_id, "title": "new title"}) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token user.delete_shot(shot_url) # cleanup
def test_get_settings_does_not_set_csrf_cookie(): with screenshots_session() as user: resp = user.get_settings() # GET /settings/ assert resp.status_code == 200 assert resp.cookies.get('_csrf', None) is None # whether the 302 /settings/ -> /settings # with set-cookie actually sets _csrf # depends on the client resp = user.get_uri(urljoin(user.backend, "/settings")) assert resp.status_code == 200 assert resp.cookies.get('_csrf', None) is None
def test_creating_page(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0) shot_id = urlparse.urlsplit(shot_url).path.strip("/") resp = user.get_uri("/creating/" + shot_id) assert resp.status_code == 200 unauthed_user = ScreenshotsClient() resp = requests.get(urljoin(unauthed_user.backend, "/creating/") + shot_id) assert resp.status_code == 200
def test_disconnect_device_with_valid_csrftoken_ok(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") csrf = user.read_shot(shot_url)["csrf"] resp = user.session.post( urljoin(user.backend, '/api/disconnect-device/'), {"_csrf": csrf}) print(resp.text) assert resp.status_code == 200 # ok? user.delete_shot(shot_url) # cleanup
def test_shot_edit_without_csrftoken_fails(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_id = user._get_id_from_url(shot_url) body = {"shotId": shot_id, "_csrf": "bad-csrf-token"} body.update(dict(url="https://example.com/edited")) resp = user.session.post(urljoin(user.backend, '/api/save-edit'), body) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token user.delete_shot(shot_url) # cleanup
def test_creating_page(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0) shot_id = urlparse.urlsplit(shot_url).path.strip("/") resp = user.get_uri("/creating/" + shot_id) assert resp.status_code == 200 unauthed_user = ScreenshotsClient() resp = requests.get(urljoin(unauthed_user.backend, "/creating/") + shot_id) assert resp.status_code == 200
def test_shot_set_expiration_without_csrftoken_fails(): with screenshots_session(hasAccount=True) as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_id = user._get_id_from_url(shot_url) resp = user.session.post(urljoin(user.backend, "/api/set-expiration"), { "id": shot_id, "expiration": "60" }) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token user.delete_shot(shot_url) # cleanup
def test_leave_screenshots_with_valid_csrftoken_ok(): with screenshots_session() as user: leave_resp = user.session.get(user.backend + "/leave-screenshots/") assert leave_resp.status_code == 200 assert_httponly_csrf_cookie(user.session) page = leave_resp.text csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page) csrf = csrf_match.group(1) resp = user.session.post( urljoin(user.backend, "/leave-screenshots/leave"), json={"_csrf": csrf}) resp.raise_for_status()
def test_leave_screenshots_with_get_fails(): with screenshots_session() as user: leave_resp = user.session.get(user.backend + "/leave-screenshots/") assert leave_resp.status_code == 200 assert_httponly_csrf_cookie(user.session) page = leave_resp.text csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page) csrf = csrf_match.group(1) resp = user.session.get( urljoin(user.backend, "/leave-screenshots/leave"), params={"_csrf": csrf}) assert resp.status_code == 404
def test_shot_edit_without_csrftoken_fails(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_id = user._get_id_from_url(shot_url) body = {"shotId": shot_id, "_csrf": "bad-csrf-token"} body.update(dict(url="https://example.com/edited")) resp = user.session.post( urljoin(user.backend, '/api/save-edit'), body) print(resp.text) assert resp.status_code == 403 # Bad CSRF Token user.delete_shot(shot_url) # cleanup
def test_leave_screenshots_with_duplicate_csrf_cookies_fails(): with screenshots_session() as user: leave_resp = user.session.get(user.backend + "/leave-screenshots/") assert leave_resp.status_code == 200 assert_httponly_csrf_cookie(user.session) page = leave_resp.text csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page) csrf = csrf_match.group(1) resp = user.session.post( urljoin(user.backend, "/leave-screenshots/leave"), cookies={'_csrf': user.session.cookies.get('_csrf'), # noqa: F601 '_csrf': user.session.cookies.get('_csrf')}, # noqa: F601 json={"_csrf": csrf}) assert resp.status_code == 400
def test_invalid_clip_image_url_not_saved(): with screenshots_session() as user: shot_id = make_random_id() + "/test.com" shot_data = urljoin(user.backend, "data/" + shot_id) shot_json = make_example_shot(user.deviceId) invalid_url = "https://example.com/?aaA=bbb=\"); background-color: red;" for clip_id in shot_json['clips']: shot_json['clips'][clip_id]['image']['url'] = invalid_url break resp = user.session.put( shot_data, json=shot_json, ) print(resp.text) assert resp.status_code == 500 # assertion failure on clip image url
def test_delete_shot_with_valid_csrftoken_ok(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") user.delete_shot(shot_url) # reads and uses csrf token from shot page
def test_settings_page(): with screenshots_session() as user: user.get_settings() # raises for http error
def user_setup(): with screenshots_session() as user: shot_id = make_random_id() + "/test.com" shot_data = urljoin(user.backend, "data/" + shot_id) shot_json = make_example_shot(user.deviceId) return (shot_data, shot_json, user)
def test_settings_page(): with screenshots_session() as user: user.get_settings() # raises for http error
def test_get_my_shots_sets_csrf_cookie(): with screenshots_session() as user: user.read_my_shots() # raises on error assert_httponly_csrf_cookie(user.session)
def test_shot_set_title_with_valid_csrftoken_ok(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") user.set_title(shot_url, "New Screenshot Title") # reads and uses csrf token from shot page user.delete_shot(shot_url) # cleanup
def user_setup(): with screenshots_session() as user: shot_id = make_random_id() + "/test.com" shot_data = urljoin(user.backend, "data/" + shot_id) shot_json = make_example_shot(user.deviceId) return (shot_data, shot_json, user)
def test_shot_set_expiration_with_valid_csrftoken_ok(): with screenshots_session(hasAccount=True) as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1") user.set_expiration(shot_url, 290) # reads and uses csrf token from shot page user.delete_shot(shot_url) # cleanup