def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault("SERVER_NAME", "foo")
environ.setdefault("SERVER_PORT", "80")
environ.setdefault("REQUEST_METHOD", "POST")
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
request.form = {"topic": "test subject", "replyto": "*****@*****.**", "comments": "test comments"}
self.ff1.checkAuthenticator = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView("context", "request").authenticator()
token = tag.split('"')[5]
request.form["_authenticator"] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# sneaky GET request
environ["REQUEST_METHOD"] = "GET"
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form["_authenticator"] = "inauthentic"
request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self):
""" test CSRF check on data clear """
# create a saver and add a record
self.ff1.invokeFactory('FormSaveDataAdapter', 'saver')
saver = self.ff1.saver
self.ff1.setActionAdapter( ('saver',) )
request = FakeRequest(topic = 'test subject', replyto='*****@*****.**', comments='test comments')
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual( errors, {} )
# for the rest of this test, we need a bit more serious request simulation
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
# clearSavedFormInput is part of the API, so it should work if there's no
# request
saver.clearSavedFormInput()
# But, if this is from a form, we should need a valid authenticator
request.form = {'clearSavedFormInput':'1',}
self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput, **{'request':request})
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
saver.clearSavedFormInput(request=request)
def checkAuthenticator(self, path, query='', status=200):
credentials = '%s:%s' % (ptc.default_user, ptc.default_password)
path = '/' + self.portal.absolute_url(relative=True) + path
data = StringIO(query)
# without authenticator...
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), 403)
# with authenticator...
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
data = StringIO(query + '&_authenticator=%s' % token)
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), status)
def checkAuthenticator(self, path, query='', status=200):
credentials = '%s:%s' % (TEST_USER_NAME, TEST_USER_PASSWORD)
path = '/' + self.portal.absolute_url(relative=True) + path
data = StringIO(query)
# without authenticator...
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), 403)
# with authenticator...
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
data = StringIO(query + '&_authenticator=%s' % token)
response = self.publish(path=path, basic=credentials, env={},
request_method='POST', stdin=data)
self.assertEqual(response.getStatus(), status)
class AuthenticatorTests(KeyringTestCase):
def setUp(self):
KeyringTestCase.setUp(self)
self.view = AuthenticatorView(None, None)
def setUsername(self, name):
user = getSecurityManager().getUser()
user.name = name
def setSecret(self, secret):
self.manager['_forms'].data[0] = secret
def testIsHtmlInput(self):
auth = self.view.authenticator()
self.failUnless(auth.startswith("<input"))
self.failUnless(auth.endswith("/>"))
def testDiffersPerUser(self):
one = self.view.authenticator()
self.setUsername("other")
two = self.view.authenticator()
self.assertNotEqual(one, two)
def testDiffersPerSecret(self):
one = self.view.authenticator()
self.setSecret("other")
two = self.view.authenticator()
self.assertNotEqual(one, two)
def testDiffersPerExtra(self):
one = self.view.authenticator()
two = self.view.authenticator('some-extra-value')
self.assertNotEqual(one, two)
def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
request.form = {
'topic': 'test subject',
'replyto': '*****@*****.**',
'comments': 'test comments',
}
self.ff1.CSRFProtection = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# sneaky GET request
environ['REQUEST_METHOD'] = 'GET'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form['_authenticator'] = 'inauthentic'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self):
""" test csrf protection """
# for this test, we need a bit more serious request simulation
from ZPublisher.HTTPRequest import HTTPRequest
from ZPublisher.HTTPResponse import HTTPResponse
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
request.form = \
{'topic':'test subject',
'replyto':'*****@*****.**',
'comments':'test comments'}
self.ff1.checkAuthenticator = True
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual( errors, {} )
# sneaky GET request
environ['REQUEST_METHOD'] = 'GET'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
# bad authenticator
request.form['_authenticator'] = 'inauthentic'
request = HTTPRequest(sys.stdin,
environ,
HTTPResponse(stdout=sys.stdout))
self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
class VerifyTests(KeyringTestCase):
def setUp(self):
self.request={}
KeyringTestCase.setUp(self)
self.view=AuthenticatorView(None, self.request)
def setAuthenticator(self, key):
user=getSecurityManager().getUser().getUserName()
auth=hmac.new(key, user, sha).hexdigest()
self.request["_authenticator"]=auth
def testCorrectAuthenticator(self):
self.manager.keys[0]=("secret")
self.setAuthenticator("secret")
self.assertEqual(self.view.verify(), True)
def testOlderSecretVerifies(self):
self.manager.keys[3]="backup"
self.setAuthenticator("backup")
self.assertEqual(self.view.verify(), True)
def testMissingAuthenticator(self):
self.assertEqual(self.view.verify(), False)
def testIncorrectAuthenticator(self):
self.request["_authenticator"]="incorrect"
self.assertEqual(self.view.verify(), False)
def testAuthenticatorWrongType(self):
self.request["_authenticator"]=123
self.assertEqual(self.view.verify(), False)
def testCSRF(self):
""" test CSRF check on data clear """
# create a saver and add a record
self.ff1.invokeFactory('FormSaveDataAdapter', 'saver')
saver = self.ff1.saver
self.ff1.setActionAdapter(('saver', ))
request = FakeRequest(topic='test subject',
replyto='*****@*****.**',
comments='test comments')
errors = self.ff1.fgvalidate(REQUEST=request)
self.assertEqual(errors, {})
# for the rest of this test, we need a bit more serious request simulation
environ = {}
environ.setdefault('SERVER_NAME', 'foo')
environ.setdefault('SERVER_PORT', '80')
environ.setdefault('REQUEST_METHOD', 'POST')
request = HTTPRequest(sys.stdin, environ,
HTTPResponse(stdout=sys.stdout))
# clearSavedFormInput is part of the API, so it should work if there's no
# request
saver.clearSavedFormInput()
# But, if this is from a form, we should need a valid authenticator
request.form = {
'clearSavedFormInput': '1',
}
self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput,
**{'request': request})
# with authenticator... no error
tag = AuthenticatorView('context', 'request').authenticator()
token = tag.split('"')[5]
request.form['_authenticator'] = token
saver.clearSavedFormInput(request=request)
class VerifyTests(KeyringTestCase):
key_size = 2
def setUp(self):
self.request = MockRequest()
super(VerifyTests, self).setUp()
self.view = AuthenticatorView(None, self.request)
def setAuthenticator(self, key, extra='', name="_authenticator"):
user = getSecurityManager().getUser().getUserName()
if six.PY3:
user = user.encode('utf-8')
extra = extra.encode('utf-8')
auth = hmac.new(key.encode('utf-8'), user + extra, sha).hexdigest()
self.request[name] = auth
def testCorrectAuthenticator(self):
self.manager['_forms'].data[0] = "secret"
self.setAuthenticator("secret")
self.assertEqual(self.view.verify(), True)
def testCustomAuthenticatorKeyName(self):
self.manager['_forms'].data[0] = "secret"
self.setAuthenticator("secret", name="_my_authenticator")
self.assertEqual(self.view.verify(name="_my_authenticator"), True)
def testOlderSecretVerifies(self):
self.manager['_forms'].data[1] = "backup"
self.setAuthenticator("backup")
self.assertEqual(self.view.verify(), True)
def testMissingAuthenticator(self):
self.assertEqual(self.view.verify(), False)
def testIncorrectAuthenticator(self):
self.request["_authenticator"] = "incorrect"
self.assertEqual(self.view.verify(), False)
def testAuthenticatorWrongType(self):
self.request["_authenticator"] = 123
self.assertEqual(self.view.verify(), False)
def testExtraArgumentCanBeVerified(self):
self.manager['_forms'].data[0] = "secret"
self.setAuthenticator("secret", 'some-extra-value')
self.assertEqual(self.view.verify('some-extra-value'), True)
class VerifyTests(KeyringTestCase):
key_size = 2
def setUp(self):
self.request = MockRequest()
super(VerifyTests, self).setUp()
self.view = AuthenticatorView(None, self.request)
def setAuthenticator(self, key, extra='', name="_authenticator"):
user = getSecurityManager().getUser().getUserName()
auth = hmac.new(key, user + extra, sha).hexdigest()
self.request[name] = auth
def testCorrectAuthenticator(self):
self.manager['_forms'].data[0] = "secret"
self.setAuthenticator("secret")
self.assertEqual(self.view.verify(), True)
def testCustomAuthenticatorKeyName(self):
self.manager['_forms'].data[0] = "secret"
self.setAuthenticator("secret", name="_my_authenticator")
self.assertEqual(self.view.verify(name="_my_authenticator"), True)
def testOlderSecretVerifies(self):
self.manager['_forms'].data[1] = "backup"
self.setAuthenticator("backup")
self.assertEqual(self.view.verify(), True)
def testMissingAuthenticator(self):
self.assertEqual(self.view.verify(), False)
def testIncorrectAuthenticator(self):
self.request["_authenticator"] = "incorrect"
self.assertEqual(self.view.verify(), False)
def testAuthenticatorWrongType(self):
self.request["_authenticator"] = 123
self.assertEqual(self.view.verify(), False)
def testExtraArgumentCanBeVerified(self):
self.manager['_forms'].data[0] = "secret"
self.setAuthenticator("secret", 'some-extra-value')
self.assertEqual(self.view.verify('some-extra-value'), True)
class VerifyTests(KeyringTestCase):
def setUp(self):
self.request = MockRequest()
KeyringTestCase.setUp(self)
self.view = AuthenticatorView(None, self.request)
def setAuthenticator(self, key, extra='', name="_authenticator"):
user = getSecurityManager().getUser().getUserName()
auth = hmac.new(key, user + extra, sha).hexdigest()
self.request[name] = auth
def testCorrectAuthenticator(self):
self.manager.keys[0] = ("secret")
self.setAuthenticator("secret")
self.assertEqual(self.view.verify(), True)
def testCustomAuthenticatorKeyName(self):
self.manager.keys[0] = ("secret")
self.setAuthenticator("secret", name="_my_authenticator")
self.assertEqual(self.view.verify(name="_my_authenticator"), True)
def testOlderSecretVerifies(self):
self.manager.keys[3] = "backup"
self.setAuthenticator("backup")
self.assertEqual(self.view.verify(), True)
def testMissingAuthenticator(self):
self.assertEqual(self.view.verify(), False)
def testIncorrectAuthenticator(self):
self.request["_authenticator"] = "incorrect"
self.assertEqual(self.view.verify(), False)
def testAuthenticatorWrongType(self):
self.request["_authenticator"] = 123
self.assertEqual(self.view.verify(), False)
def testExtraArgumentCanBeVerified(self):
self.manager.keys[0] = ("secret")
self.setAuthenticator("secret", 'some-extra-value')
self.assertEqual(self.view.verify('some-extra-value'), True)
def read(context, request):
tag = AuthenticatorView(context, request).authenticator()
pattern = '<input .*name="(\w+)".*value="(\w+)"'
_authenticator = re.match(pattern, tag).groups()[1]
ret = {
"url": router.url_for("read", force_external=True),
"success": True,
"error": False,
"objects": [],
"_authenticator": _authenticator,
}
debug_mode = App.config.getConfiguration().debug_mode
catalog_name = request.get("catalog_name", "portal_catalog")
if not catalog_name:
raise ValueError("bad or missing catalog_name: " + catalog_name)
catalog = getToolByName(context, catalog_name)
indexes = catalog.indexes()
contentFilter = {}
for index in indexes:
if index in request:
if index == 'review_state' and "{" in request[index]:
continue
contentFilter[index] = safe_unicode(request[index])
if "%s[]"%index in request:
value = request["%s[]"%index]
if type(value) in (list, tuple):
contentFilter[index] = [safe_unicode(v) for v in value]
else:
contentFilter[index] = value
if 'limit' in request:
try:
contentFilter['sort_limit'] = int(request["limit"])
except ValueError:
pass
sort_on = request.get('sort_on', 'id')
contentFilter['sort_on'] = sort_on
# sort order
sort_order = request.get('sort_order', '')
if sort_order:
contentFilter['sort_order'] = sort_order
else:
sort_order = 'ascending'
contentFilter['sort_order'] = 'ascending'
include_fields = get_include_fields(request)
if debug_mode:
logger.info("contentFilter: " + str(contentFilter))
# Get matching objects from catalog
proxies = catalog(**contentFilter)
# batching items
page_nr = int(request.get("page_nr", 0))
try:
page_size = int(request.get("page_size", 10))
except ValueError:
page_size = 10
# page_size == 0: show all
if page_size == 0:
page_size = len(proxies)
first_item_nr = page_size * page_nr
if first_item_nr > len(proxies):
first_item_nr = 0
page_proxies = proxies[first_item_nr:first_item_nr + page_size]
for proxy in page_proxies:
obj_data = {}
# Place all proxy attributes into the result.
obj_data.update(load_brain_metadata(proxy, include_fields))
# Place all schema fields ino the result.
obj = proxy.getObject()
obj_data.update(load_field_values(obj, include_fields))
obj_data['path'] = "/".join(obj.getPhysicalPath())
# call any adapters that care to modify this data.
adapters = getAdapters((obj, ), IJSONReadExtender)
for name, adapter in adapters:
adapter(request, obj_data)
ret['objects'].append(obj_data)
ret['total_objects'] = len(proxies)
ret['first_object_nr'] = first_item_nr
last_object_nr = first_item_nr + len(page_proxies)
if last_object_nr > ret['total_objects']:
last_object_nr = ret['total_objects']
ret['last_object_nr'] = last_object_nr
if debug_mode:
logger.info("{0} objects returned".format(len(ret['objects'])))
return ret
def setUp(self):
self.request={}
KeyringTestCase.setUp(self)
self.view=AuthenticatorView(None, self.request)
def setUp(self):
self.request = MockRequest()
super(VerifyTests, self).setUp()
self.view = AuthenticatorView(None, self.request)
def setUp(self):
KeyringTestCase.setUp(self)
self.view = AuthenticatorView(None, None)
def test_CSRF_header(self):
self.request.environ['HTTP_X_CSRF_TOKEN'] = createToken()
view = AuthenticatorView(None, self.request)
self.assertEqual(view.verify(), True)
def setUp(self):
self.request = MockRequest()
KeyringTestCase.setUp(self)
self.view = AuthenticatorView(None, self.request)
def test_incorrect_CSRF_header(self):
self.request.environ['HTTP_X_CSRF_TOKEN'] = 'foobar'
view = AuthenticatorView(None, self.request)
self.assertEqual(view.verify(), False)
def test_CSRF_header(self):
self.request.environ['HTTP_X_CSRF_TOKEN'] = createToken()
view = AuthenticatorView(None, self.request)
self.assertEqual(view.verify(), True)
def test_incorrect_CSRF_header(self):
self.request.environ['HTTP_X_CSRF_TOKEN'] = 'foobar'
view = AuthenticatorView(None, self.request)
self.assertEqual(view.verify(), False)
def getAuthenticator(self):
tag = AuthenticatorView('context', 'request').authenticator()
pattern = r'<input .*name="(\w+)".*value="(\w+)"'
return match(pattern, tag).groups()
