def _test_configurable_headers(self, method):
# Reserved headers not allowed.
content_type = 'not-allowed'
self.env.config.set('http-headers', 'Content-Type', content_type)
# Control code not allowed.
custom1 = '\x00custom1'
self.env.config.set('http-headers', 'X-Custom-1', custom1)
# Many special characters allowed in header name.
custom2 = 'Custom2-!#$%&\'*+.^_`|~'
self.env.config.set('http-headers', custom2, 'custom2')
# Some special characters not allowed in header name.
self.env.config.set('http-headers', 'X-Custom-(3)', 'custom3')
req = MockRequest(self.env, method='POST')
request_dispatcher = RequestDispatcher(self.env)
request_dispatcher.set_default_callbacks(req)
self.assertRaises(RequestDone, method, req)
self.assertNotEqual('not-allowed',
req.headers_sent.get('Content-Type'))
self.assertNotIn('x-custom-1', req.headers_sent)
self.assertIn(custom2.lower(), req.headers_sent)
self.assertNotIn('x-custom-(3)', req.headers_sent)
self.assertIn(
('WARNING', "[http-headers] invalid headers are ignored: "
"u'content-type': u'not-allowed', "
"u'x-custom-1': u'\\x00custom1', "
"u'x-custom-(3)': u'custom3'"), self.env.log_messages)
def _test_file_not_sent_using_xsendfile_header(self, xsendfile_header):
req = MockRequest(self.env)
request_dispatcher = RequestDispatcher(self.env)
request_dispatcher.set_default_callbacks(req)
# File is not sent using xsendfile.
self.assertRaises(RequestDone, req.send_file, self.filename)
self.assertEqual(['200 Ok'], req.status_sent)
self.assertEqual('text/plain', req.headers_sent['Content-Type'])
self.assertNotIn(xsendfile_header, req.headers_sent)
self.assertEqual('_FileWrapper', type(req._response).__name__)
self.assertEqual('', req.response_sent.getvalue())
def test_invalid_session_id_returns_fake_session(self):
"""Fake session is returned when session id is invalid."""
sid = 'a' * 23 + '$' # last char invalid, sid must be alphanumeric.
req = MockRequest(self.env,
path_info='/test-stub',
cookie='trac_session=%s;' % sid)
request_dispatcher = RequestDispatcher(self.env)
request_dispatcher.set_default_callbacks(req)
self.assertRaises(RequestDone, request_dispatcher.dispatch, req)
self.assertIsInstance(req.session, FakeSession)
self.assertIsNone(req.session.sid)
self.assertEqual('200 Ok', req.status_sent[0])
self.assertIn('<h1>Hello World</h1>', req.response_sent.getvalue())
def test_set_valid_xsendfile_header(self):
"""Send file using xsendfile header."""
self.env.config.set('trac', 'use_xsendfile', True)
self.env.config.set('trac', 'xsendfile_header', 'X-Accel-Redirect')
req = MockRequest(self.env)
request_dispatcher = RequestDispatcher(self.env)
request_dispatcher.set_default_callbacks(req)
# File is sent using xsendfile.
self.assertRaises(RequestDone, req.send_file, self.filename)
self.assertEqual(['200 Ok'], req.status_sent)
self.assertEqual('text/plain', req.headers_sent['Content-Type'])
self.assertEqual(self.filename, req.headers_sent['X-Accel-Redirect'])
self.assertNotIn('X-Sendfile', req.headers_sent)
self.assertIsNone(req._response)
self.assertEqual('', req.response_sent.getvalue())
def test_get_session_returns_session(self):
"""Session is returned when database is reachable."""
sid, name, email = self._insert_session()
req = MockRequest(self.env, path_info='/test-stub',
cookie='trac_session=%s;' % sid)
request_dispatcher = RequestDispatcher(self.env)
request_dispatcher.set_default_callbacks(req)
self.assertRaises(RequestDone, request_dispatcher.dispatch, req)
self.assertIsInstance(req.session, Session)
self.assertEqual(sid, req.session.sid)
self.assertEqual(name, req.session['name'])
self.assertEqual(email, req.session['email'])
self.assertFalse(req.session.authenticated)
self.assertEqual('200 Ok', req.status_sent[0])
self.assertIn('<h1>Hello World</h1>', req.response_sent.getvalue())
def test_invalid_session_id_returns_fake_session(self):
"""Fake session is returned when session id is invalid."""
sid = 'a' * 23 + '$' # last char invalid, sid must be alphanumeric.
req = MockRequest(self.env,
path_info='/test-stub',
cookie='trac_session=%s;' % sid)
request_dispatcher = RequestDispatcher(self.env)
request_dispatcher.set_default_callbacks(req)
with self.assertRaises(RequestDone):
request_dispatcher.dispatch(req)
self.assertIn(('DEBUG', "Chosen handler is <Component trac.web.tests"
".main.TestStubRequestHandler>"), self.env.log_messages)
self.assertIn(('WARNING', "can't retrieve session: "
"Session ID must be alphanumeric."),
self.env.log_messages)
self.assertIsInstance(req.session, FakeSession)
self.assertIsNone(req.session.sid)
self.assertEqual('200 Ok', req.status_sent[0])
self.assertIn('<h1>Hello World</h1>', req.response_sent.getvalue())
def test_send_configurable_headers_no_override(self):
"""Headers in request not overridden by configurable headers."""
self.env.config.set('http-headers', 'X-XSS-Protection', '1; mode=block')
request_dispatcher = RequestDispatcher(self.env)
req1 = MockRequest(self.env)
request_dispatcher.set_default_callbacks(req1)
self.assertRaises(RequestDone, req1.send, self._content())
self.assertNotIn('X-XSS-protection', req1.headers_sent)
self.assertIn('x-xss-protection', req1.headers_sent)
self.assertEqual('1; mode=block', req1.headers_sent['x-xss-protection'])
req2 = MockRequest(self.env, method='POST')
request_dispatcher.set_default_callbacks(req2)
self.assertRaises(RequestDone, req2.send, self._content())
self.assertNotIn('x-xss-protection', req2.headers_sent)
self.assertIn('X-XSS-Protection', req2.headers_sent)
self.assertEqual('0', req2.headers_sent['X-XSS-Protection'])
class AuthenticateTestCase(unittest.TestCase):
authenticators = {}
request_handlers = []
@classmethod
def setUpClass(cls):
class UnsuccessfulAuthenticator(Component):
implements(IAuthenticator)
def authenticate(self, req):
return None
class RaisingAuthenticator(Component):
implements(IAuthenticator)
def authenticate(self, req):
raise TracError("Bad attempt")
class SuccessfulAuthenticator1(Component):
implements(IAuthenticator)
def authenticate(self, req):
return 'user1'
class SuccessfulAuthenticator2(Component):
implements(IAuthenticator)
def authenticate(self, req):
return 'user2'
class AuthenticateRequestHandler(Component):
implements(IRequestHandler)
def __init__(self):
self.calls = 0
def match_request(self, req):
return bool(req.perm)
def process_request(self, req):
self.calls += 1
req.authname
req.send('')
cls.authenticators['success1'] = SuccessfulAuthenticator1
cls.authenticators['success2'] = SuccessfulAuthenticator2
cls.authenticators['unsuccess'] = UnsuccessfulAuthenticator
cls.authenticators['raising'] = RaisingAuthenticator
cls.request_handlers = [AuthenticateRequestHandler]
@classmethod
def tearDownClass(cls):
from trac.core import ComponentMeta
for component in cls.authenticators.values() + cls.request_handlers:
ComponentMeta.deregister(component)
def setUp(self):
self.env = EnvironmentStub(enable=('trac.web.main.*', ))
self.req = MockRequest(self.env)
self.request_dispatcher = RequestDispatcher(self.env)
def test_authenticate_returns_first_successful(self):
self.env.enable_component(self.authenticators['success1'])
self.env.enable_component(self.authenticators['success2'])
self.assertEqual(2, len(self.request_dispatcher.authenticators))
self.assertIsInstance(self.request_dispatcher.authenticators[0],
self.authenticators['success1'])
self.assertIsInstance(self.request_dispatcher.authenticators[1],
self.authenticators['success2'])
self.assertEqual('user1',
self.request_dispatcher.authenticate(self.req))
def test_authenticate_skips_unsuccessful(self):
self.env.enable_component(self.authenticators['unsuccess'])
self.env.enable_component(self.authenticators['success1'])
self.assertEqual(2, len(self.request_dispatcher.authenticators))
self.assertIsInstance(self.request_dispatcher.authenticators[0],
self.authenticators['unsuccess'])
self.assertIsInstance(self.request_dispatcher.authenticators[1],
self.authenticators['success1'])
self.assertEqual('user1',
self.request_dispatcher.authenticate(self.req))
def test_authenticate_raises(self):
self.env.enable_component(self.authenticators['raising'])
self.env.enable_component(self.authenticators['success1'])
self.assertEqual(2, len(self.request_dispatcher.authenticators))
self.assertIsInstance(self.request_dispatcher.authenticators[0],
self.authenticators['raising'])
self.assertIsInstance(self.request_dispatcher.authenticators[1],
self.authenticators['success1'])
self.assertEqual('anonymous',
self.request_dispatcher.authenticate(self.req))
self.assertEqual(1, len(self.req.chrome['warnings']))
expected = "Can't authenticate using RaisingAuthenticator: "
for level, message in self.env.log_messages:
if expected in message.split('\n'):
self.assertEqual('ERROR', level)
break
else:
self.fail("Expected log message not found: \"%s\"" % expected)
def test_authenticate_once(self):
self.env.enable_component(self.authenticators['success1'])
self.env.enable_component(self.request_handlers[0])
self.env.config.set('trac', 'default_handler',
'AuthenticateRequestHandler')
self.request_dispatcher.set_default_callbacks(self.req)
with self.assertRaises(RequestDone):
self.request_dispatcher.dispatch(self.req)
self.assertEqual(1, len(self.request_dispatcher.authenticators))
self.assertEqual(1, len(self.request_dispatcher.handlers))
self.assertEqual(1, self.request_dispatcher.handlers[0].calls)
class AuthenticateTestCase(unittest.TestCase):
def setUp(self):
self.env = EnvironmentStub(disable=['trac.web.auth.LoginModule'])
self.request_dispatcher = RequestDispatcher(self.env)
self.req = MockRequest(self.env)
self.env.clear_component_registry()
def tearDown(self):
self.env.restore_component_registry()
def test_authenticate_returns_first_successful(self):
class SuccessfulAuthenticator1(Component):
implements(IAuthenticator)
def authenticate(self, req):
return 'user1'
class SuccessfulAuthenticator2(Component):
implements(IAuthenticator)
def authenticate(self, req):
return 'user2'
self.assertEqual(2, len(self.request_dispatcher.authenticators))
self.assertIsInstance(self.request_dispatcher.authenticators[0],
SuccessfulAuthenticator1)
self.assertIsInstance(self.request_dispatcher.authenticators[1],
SuccessfulAuthenticator2)
self.assertEqual('user1',
self.request_dispatcher.authenticate(self.req))
def test_authenticate_skips_unsuccessful(self):
class UnsuccessfulAuthenticator(Component):
implements(IAuthenticator)
def authenticate(self, req):
return None
class SuccessfulAuthenticator(Component):
implements(IAuthenticator)
def authenticate(self, req):
return 'user'
self.assertEqual(2, len(self.request_dispatcher.authenticators))
self.assertIsInstance(self.request_dispatcher.authenticators[0],
UnsuccessfulAuthenticator)
self.assertIsInstance(self.request_dispatcher.authenticators[1],
SuccessfulAuthenticator)
self.assertEqual('user',
self.request_dispatcher.authenticate(self.req))
def test_authenticate_raises(self):
class RaisingAuthenticator(Component):
implements(IAuthenticator)
def authenticate(self, req):
raise TracError("Bad attempt")
class SuccessfulAuthenticator(Component):
implements(IAuthenticator)
def authenticate(self, req):
return 'user'
self.assertEqual(2, len(self.request_dispatcher.authenticators))
self.assertIsInstance(self.request_dispatcher.authenticators[0],
RaisingAuthenticator)
self.assertIsInstance(self.request_dispatcher.authenticators[1],
SuccessfulAuthenticator)
self.assertEqual('anonymous',
self.request_dispatcher.authenticate(self.req))
self.assertEqual(1, len(self.req.chrome['warnings']))
def test_authenticate_once(self):
class Authenticator(Component):
implements(IAuthenticator)
def authenticate(self, req):
authenticated[0] += 1
return 'admin'
class AuthenticateRequestHandler(Component):
implements(IRequestHandler)
def match_request(self, req):
return bool(req.perm)
def process_request(self, req):
req.authname
req.send('')
self.env.config.set('trac', 'default_handler',
'AuthenticateRequestHandler')
authenticated = [0]
req = MockRequest(self.env)
self.request_dispatcher.set_default_callbacks(req)
self.assertEqual(1, len(self.request_dispatcher.authenticators))
self.assertIsInstance(self.request_dispatcher.authenticators[0],
Authenticator)
self.assertRaises(RequestDone, self.request_dispatcher.dispatch, req)
self.assertEqual(1, authenticated[0])
