def test_get_user_from_token(self):
instance = ESAPI.authenticator()
instance.logout()
account_name = "testUserFromToken"
password = instance.generate_strong_password()
user = instance.create_user(account_name, password, password)
user.enable()
###
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
m = Morsel()
m.key = HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME
m.value = "ridiculous"
request.cookies[m.key] = m
# Wrong cookie should fail
self.assertRaises(AuthenticationException, instance.login, request, response)
user.logout()
###
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.authenticator().current_user = user
new_token = ESAPI.http_utilities().set_remember_token(
password, 10000, "test.com", request.path, request, response )
request.set_cookie( key=HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME, value=new_token )
ESAPI.http_utilities().set_current_http(request, response)
# Logout the current user so we can log them in with the remember cookie
user2 = instance.login(request, response)
self.assertEquals(user, user2)
def test_login(self):
instance = ESAPI.authenticator()
username = "******"
password = instance.generate_strong_password()
user = instance.create_user(username, password, password)
user.enable()
request = MockHttpRequest()
request.POST['username'] = username
request.POST['password'] = password
response = MockHttpResponse()
test = instance.login( request, response )
self.assertTrue( test.is_logged_in() )
def test_set_remember_token(self):
instance = ESAPI.authenticator()
account_name = "joestheplumber"
password = instance.generate_strong_password()
user = instance.create_user(account_name, password, password)
user.enable()
request = MockHttpRequest()
request.POST['username'] = account_name
request.POST['password'] = password
response = MockHttpResponse()
instance.login(request, response)
max_age = 60 * 60 * 24 * 14
ESAPI.http_utilities().set_remember_token( password, max_age, "domain", '/', request, response )
def test_add_exception(self):
ESAPI.intrusion_detector().add_exception(RuntimeError('message'))
ESAPI.intrusion_detector().add_exception(
ValidationException("user message", "log message"))
ESAPI.intrusion_detector().add_exception(
IntrusionException("user message", "log message"))
username = "******"
password = "******"
auth = ESAPI.authenticator()
user = auth.create_user(username, password, password)
user.enable()
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
user.login_with_password(password)
# Generate some exceptions to disable the account
for i in range(15):
IntegrityException("IntegrityException %s" % i,
"IntegrityException %s" % i)
self.assertFalse(user.is_logged_in())
self.assertTrue(user.is_locked())
def test_add_header(self):
instance = ESAPI.http_utilities()
request = MockHttpRequest()
response = MockHttpResponse()
instance.set_current_http(request, response)
instance.add_header('HeaderName', 'HeaderValue')
def test_get_user_from_session(self):
instance = ESAPI.authenticator()
instance.logout()
account_name = "sessionTester"
password = instance.generate_strong_password()
user = instance.create_user( account_name, password, password )
user.enable()
request = MockHttpRequest()
request.POST['username'] = account_name
request.POST['password'] = password
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http( request, response )
instance.login( request, response )
current_user = instance.get_user_from_session()
self.assertEquals(user, current_user)
def test_kill_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
self.assertTrue(len(response.cookies) == 0)
new_cookies = {}
m = Morsel()
m.key = 'test1'
m.value = '1'
new_cookies[m.key] = m
m = Morsel()
m.key = 'test2'
m.value = '2'
new_cookies[m.key] = m
request.cookies = new_cookies
ESAPI.http_utilities().kill_cookie( "test1", request, response )
self.assertTrue(len(response.cookies) == 1)
def test_save_too_long_state_in_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
foo = "abcd" * 1000
data = {'long': foo}
try:
ESAPI.http_utilities().encrypt_state_in_cookie(response, data)
self.fail()
except:
pass
def test_set_current_user_with_request(self):
instance = ESAPI.authenticator()
instance.logout()
account_name = "curUserWReq"
password = instance.generate_strong_password()
user = instance.create_user( account_name, password, password )
user.enable()
request = MockHttpRequest()
request.POST['username'] = account_name
request.POST['password'] = password
response = MockHttpResponse()
instance.login( request, response )
self.assertEquals( user, instance.current_user )
try:
user.disable()
instance.login( request, response )
self.fail()
except Exception:
pass
try:
user.enable()
user.lock()
instance.login( request, response )
self.fail()
except Exception:
pass
try:
use.unlock()
user.expiration_time = datetime.now()
instance.login(request, response)
except Exception:
pass
def test_set_no_cache_headers(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
self.assertEquals(0, len(response.headers))
response.headers["test1"] = "1"
response.headers["test2"] = "2"
response.headers["test3"] = "3"
self.assertEquals(3, len(response.headers))
ESAPI.http_utilities().set_no_cache_headers( response )
self.assertTrue(response.headers.has_key('Cache-Control'))
self.assertTrue(response.headers.has_key('Expires'))
def test_assert_secure_request(self):
request = MockHttpRequest()
bad = ['http://example.com',
'ftp://example.com',
'',
None,]
good = ['https://example.com']
for bad_url in bad:
try:
request.url = bad_url
ESAPI.http_utilities().assert_secure_request(request)
self.fail()
except:
pass
for good_url in good:
try:
request.url = good_url
ESAPI.http_utilities().assert_secure_request(request)
except:
self.fail()
def test_state_from_encrypted_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
empty = ESAPI.http_utilities().decrypt_state_from_cookie(request)
self.assertEquals({}, empty)
m = {'one' : 'aspect',
'two' : 'ridiculous',
'test_hard' : "&(@#*!^|;,." }
ESAPI.http_utilities().encrypt_state_in_cookie(m, response)
value = response.headers['Set-Cookie']
encrypted = value[value.find('=')+1:value.find(';')]
ESAPI.encryptor().decrypt(encrypted)
def test_change_session_identifier(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
session = request.session
session['one'] = 'one'
session['two'] = 'two'
session['three'] = 'three'
id1 = request.session.id
session = ESAPI.http_utilities().change_session_identifier(request)
id2 = request.session.id
self.assertFalse(id1 == id2)
self.assertEquals("one", session['one'])
def test_add_event(self):
username = "******"
password = "******"
auth = ESAPI.authenticator()
user = auth.create_user(username, password, password)
user.enable()
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
user.login_with_password(password)
# Generate some events to disable the account
for i in range(15):
ESAPI.intrusion_detector().add_event("test", "test message")
self.assertTrue(user.is_locked())
def test_csrf_token(self):
username = "******"
password = "******"
user = ESAPI.authenticator().create_user(username, password, password)
ESAPI.authenticator().current_user = user
token = ESAPI.http_utilities().get_csrf_token()
self.assertEquals(8, len(token))
request = MockHttpRequest()
try:
ESAPI.http_utilities().verify_csrf_token(request)
self.fail()
except:
# expected
pass
request.GET[HTTPUtilities.CSRF_TOKEN_NAME] = token
ESAPI.http_utilities().verify_csrf_token(request)
def test_add_cookie(self):
instance = ESAPI.http_utilities()
response = MockHttpResponse()
request = MockHttpRequest()
instance.set_current_http(request, response)
self.assertEquals(0, len(response.cookies))
# add_cookie(key, value='', max_age=None, path='/', domain=None,
# secure=None, httponly=False, version=None, comment=None, expires=None)
instance.add_cookie(response, key='test1', value='test1')
self.assertEquals(1, len(response.cookies))
instance.add_cookie(key='test2', value='test2')
self.assertEquals(2, len(response.cookies))
# illegal name
instance.add_cookie(response, key='tes<t3', value='test3')
self.assertEquals(2, len(response.cookies))
# illegal value
instance.add_cookie(response, key='test3', value='tes<t3')
self.assertEquals(2, len(response.cookies))
def setUp(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
ESAPI.authenticator().logout()
ESAPI.authenticator().clear_all_data()
