def start(self, cookies, cookieopts=None):
c = SimpleCookie(cookies)
sid = c.get(self.cookiename)
create = True
if sid is not None:
for m in self.get(sid.value):
yield m
if self.apiroutine.retvalue is not None:
self.apiroutine.retvalue = (self.SessionHandle(self.apiroutine.retvalue, self.apiroutine), [])
create = False
if create:
for m in self.create():
yield m
sh = self.apiroutine.retvalue
m = Morsel()
m.key = self.cookiename
m.value = sh.id
m.coded_value = sh.id
opts = {"path": "/", "httponly": True}
if cookieopts:
opts.update(cookieopts)
if not cookieopts["httponly"]:
del cookieopts["httponly"]
m.update(opts)
self.apiroutine.retvalue = (sh, [m])
def setUp(self):
"""Setting up test, in current case just setting the server url."""
self.logd("setUp")
self.label = "Authenticated Tests (QAauth)"
self.server_url = self.conf_get('main', 'url')
hostname = urlparse(self.server_url)[1].split(':')[0]
credential_host = self.conf_get('credential', 'host')
credential_port = self.conf_getInt('credential', 'port')
self.login, self.password = xmlrpc_get_credential(credential_host,
credential_port,
'members')
# Set the zope cookie. This is a little evil but avoids having to
# call the login page.
morsel = Morsel()
morsel.key = '__ac'
morsel.value = morsel.coded_value = urlquote(
encodestring('%s:%s' % (self.login, self.password)))
self._browser.cookies = {
hostname: {
'/': {
'__ac': morsel
}
}
}
def setUp(self):
"""Setting up test."""
self.logd("setUp")
self.server_url = self.conf_get('main', 'url')
# XXX here you can setup the credential access like this
credential_host = self.conf_get('credential', 'host')
credential_port = self.conf_getInt('credential', 'port')
self.login, self.password = xmlrpc_get_credential(credential_host,
credential_port,
'members')
#self.login = '******'
#self.password = '******'
# Set the zope cookie. This is a little evil but avoids having to
# call the login page.
morsel = Morsel()
morsel.key = '__ac'
morsel.value = morsel.coded_value = urlquote(
encodestring('%s:%s' % (self.login, self.password)))
self._browser.cookies = {
'rhaptos': {
'/': {
'__ac': morsel
}
}
}
def test_get_user_from_token(self):
instance = ESAPI.authenticator()
instance.logout()
account_name = "testUserFromToken"
password = instance.generate_strong_password()
user = instance.create_user(account_name, password, password)
user.enable()
###
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
m = Morsel()
m.key = HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME
m.value = "ridiculous"
request.cookies[m.key] = m
# Wrong cookie should fail
self.assertRaises(AuthenticationException, instance.login, request, response)
user.logout()
###
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.authenticator().current_user = user
new_token = ESAPI.http_utilities().set_remember_token(
password, 10000, "test.com", request.path, request, response )
request.set_cookie( key=HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME, value=new_token )
ESAPI.http_utilities().set_current_http(request, response)
# Logout the current user so we can log them in with the remember cookie
user2 = instance.login(request, response)
self.assertEquals(user, user2)
async def start(self, cookies, cookieopts=None):
"""
Session start operation. First check among the cookies to find existed sessions;
if there is not an existed session, create a new one.
:param cookies: cookie header from the client
:param cookieopts: extra options used when creating a new cookie
:return: ``(session_handle, cookies)`` where session_handle is a SessionHandle object,
and cookies is a list of created Set-Cookie headers (may be empty)
"""
c = SimpleCookie(cookies)
sid = c.get(self.cookiename)
create = True
if sid is not None:
sh = await self.get(sid.value)
if sh is not None:
return (self.SessionHandle(sh, self.apiroutine), [])
if create:
sh = await self.create()
m = Morsel()
m.key = self.cookiename
m.value = sh.id
m.coded_value = sh.id
opts = {'path': '/', 'httponly': True}
if cookieopts:
opts.update(cookieopts)
if not cookieopts['httponly']:
del cookieopts['httponly']
m.update(opts)
return (sh, [m])
def to_cookies(self):
for key, (value, deleted) in self.__data.iteritems():
morsel = Morsel()
morsel.key = "session__%s" % key
if not deleted:
value = pickle.dumps(value)
value = base64.b64encode(value)
sig = quick_hash(self.id, self.secret_key, value)
value = ".".join((sig, value))
else:
value = 'no-value'
morsel['expires'] = -3600
# Sets the cookie to expire in the past.
morsel.coded_value = morsel.value = value
# This optionally sets the cookie's timeout till
# deletion.
if 'timeout' in self.options:
timeout = self.options['timeout']
morsel['expires'] = timeout
morsel['max-age'] = timeout
morsel['path'] = '/'
yield morsel
def start(self, cookies, cookieopts=None):
c = SimpleCookie(cookies)
sid = c.get(self.cookiename)
create = True
if sid is not None:
for m in self.get(sid.value):
yield m
if self.apiroutine.retvalue is not None:
self.apiroutine.retvalue = (self.SessionHandle(
self.apiroutine.retvalue, self.apiroutine), [])
create = False
if create:
for m in self.create():
yield m
sh = self.apiroutine.retvalue
m = Morsel()
m.key = self.cookiename
m.value = sh.id
m.coded_value = sh.id
opts = {'path': '/', 'httponly': True}
if cookieopts:
opts.update(cookieopts)
if not cookieopts['httponly']:
del cookieopts['httponly']
m.update(opts)
self.apiroutine.retvalue = (sh, [m])
def setcookie(self,
key,
value,
max_age=None,
expires=None,
path='/',
domain=None,
secure=None,
httponly=False):
newcookie = Morsel()
newcookie.key = key
newcookie.value = value
newcookie.coded_value = value
if max_age is not None:
newcookie['max-age'] = max_age
if expires is not None:
newcookie['expires'] = expires
if path is not None:
newcookie['path'] = path
if domain is not None:
newcookie['domain'] = domain
if secure:
newcookie['secure'] = secure
if httponly:
newcookie['httponly'] = httponly
self.sent_cookies = [c for c in self.sent_cookies if c.key != key]
self.sent_cookies.append(newcookie)
def destroy(self, sessionid):
for m in callAPI(self.apiroutine, "memorystorage", "delete", {"key": __name__ + "." + sessionid}):
yield m
m = Morsel()
m.key = self.cookiename
m.value = "deleted"
m.coded_value = "deleted"
opts = {"path": "/", "httponly": True, "max-age": 0}
m.update(opts)
self.apiroutine.retvalue = [m]
def destroy(self, sessionid):
for m in callAPI(self.apiroutine, 'memorystorage', 'delete',
{'key': __name__ + '.' + sessionid}):
yield m
m = Morsel()
m.key = self.cookiename
m.value = 'deleted'
m.coded_value = 'deleted'
opts = {'path': '/', 'httponly': True, 'max-age': 0}
m.update(opts)
self.apiroutine.retvalue = [m]
def test_kill_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
self.assertTrue(len(response.cookies) == 0)
new_cookies = {}
m = Morsel()
m.key = 'test1'
m.value = '1'
new_cookies[m.key] = m
m = Morsel()
m.key = 'test2'
m.value = '2'
new_cookies[m.key] = m
request.cookies = new_cookies
ESAPI.http_utilities().kill_cookie( "test1", request, response )
self.assertTrue(len(response.cookies) == 1)
def set_cookie(self, **kwargs):
key = kwargs['key']
m = Morsel()
m.key = key
m.value = kwargs['value']
m.coded_value = kwargs['value']
for k, v in kwargs.items():
try:
m[k] = v
except:
pass
self.cookies[key] = m
self.headers['Set-Cookie'] = str(m)
def set_cookie(self, **kwargs):
key = kwargs['key']
m = Morsel()
m.key = key
m.value = kwargs['value']
m.coded_value = kwargs['value']
for k, v in kwargs.items():
try:
m[k] = v
except:
pass
self.cookies[key] = m
self.headers['Set-Cookie'] = str(m)
def set_cookie(self, key, value=None, path='/', domain=None, secure=False, httponly=False, expires=None):
morsel = Morsel()
morsel.key = key
morsel.coded_value = value
morsel['path'] = path
if expires:
morsel['expires'] = expires
if domain:
morsel['domain'] = domain
if secure:
morsel['secure'] = secure
if httponly:
morsel['httponly'] = httponly
self.append_response_header('Set-Cookie', morsel.OutputString())
def delete_cookie(self, key, path='/', domain=None):
"""
Deletes a cookie from the client by setting the cookie to an empty
string, and max_age=0 so it should expire immediately.
"""
if self.cookies.has_key(key):
self.cookies[key].value = ''
self.cookies[key]['max-age'] = 0
else:
m = Morsel()
m.key = key
m.value = ''
m.path = path
m.domain = domain
m['max-age'] = 0
self.cookies[key] = m
def delete_cookie(self, key, path='/', domain=None):
"""
Deletes a cookie from the client by setting the cookie to an empty
string, and max_age=0 so it should expire immediately.
"""
if self.cookies.has_key(key):
self.cookies[key].value = ''
self.cookies[key]['max-age'] = 0
else:
m = Morsel()
m.key = key
m.value = ''
m.path = path
m.domain = domain
m['max-age'] = 0
self.cookies[key] = m
def injecting_start_response(status, headers, exc_info=None):
if session.should_save:
morsel = Morsel()
morsel.key = self.cookie_name
morsel.coded_value = session.sid
if self.cookie_age is not None:
morsel['max-age'] = self.cookie_age
morsel['expires'] = cookie_date(time() + self.cookie_age)
if self.cookie_domain is not None:
morsel['domain'] = self.cookie_domain
if self.cookie_path is not None:
morsel['path'] = self.cookie_path
if self.cookie_secure is not None:
morsel['secure'] = self.cookie_secure
headers.append(tuple(str(morsel).split(':', 1)))
return start_response(status, headers, exc_info)
async def destroy(self, sessionid):
"""
Destroy a session
:param sessionid: session ID
:return: a list of Set-Cookie headers to be sent to the client
"""
await call_api(self.apiroutine, 'memorystorage', 'delete',
{'key': __name__ + '.' + sessionid})
m = Morsel()
m.key = self.cookiename
m.value = 'deleted'
m.coded_value = 'deleted'
opts = {'path': '/', 'httponly': True, 'max-age': 0}
m.update(opts)
return [m]
def set_cookie(self, name, value, path=None, comment=None, domain=None,
max_age=None, secure=None, version=None, httponly=None):
new_morsel = Morsel()
new_morsel.key = name
new_morsel.coded_value = new_morsel.value = value
if max_age:
# Morsels will take max age and convert it to a date for us.
new_morsel['expires'] = max_age
new_morsel['max-age'] = max_age
if path: new_morsel['path'] = path
if comment: new_morsel['comment'] = comment
if domain: new_morsel['domain'] = domain
if secure: new_morsel['secure'] = secure
if version: new_morsel['version'] = version
if httponly: new_morsel['httponly'] = httponly
self += new_morsel
def test_morsel_to_cookie(self):
from time import strftime, localtime
time_template = "%a, %d-%b-%Y %H:%M:%S GMT"
m = Morsel()
m['domain'] = ".yandex"
m['domain'] = ".yandex.ru"
m['path'] = "/"
m['expires'] = "Fri, 27-Aug-2021 17:43:25 GMT"
m.key = "dj2enbdj3w"
m.value = "fvjlrwnlkjnf"
c = morsel_to_cookie(m)
self.assertEquals(m.key, c.name)
self.assertEquals(m.value, c.value)
for x in ('expires', 'path', 'comment', 'domain',
'secure', 'version'):
if x == 'expires':
self.assertEquals(m[x], strftime(time_template, localtime(getattr(c, x, None))))
elif x == 'version':
self.assertTrue(isinstance(getattr(c, x, None), int))
else:
self.assertEquals(m[x], getattr(c, x, None))