def test_unsafe_method_wrong_token(self, method, headers, post, scheme,
scope):
request = pretend.stub(
headers=headers,
method=method,
scheme=scheme,
host_url="https://a.example.com/",
session=pretend.stub(
get_scoped_csrf_token=pretend.call_recorder(
lambda scope: "123456"
),
get_csrf_token=pretend.call_recorder(lambda: "123456"),
),
POST=post,
)
request._process_csrf = True
request._csrf_scope = scope
with pytest.raises(csrf.InvalidCSRF) as exc:
csrf._check_csrf(request)
assert exc.value.args[0] == csrf.REASON_BAD_TOKEN
if scope is not None:
assert request.session.get_scoped_csrf_token.calls == [
pretend.call(scope),
]
assert request.session.get_csrf_token.calls == []
else:
assert request.session.get_csrf_token.calls == [pretend.call()]
assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_via_header(self, method, headers, scheme, scope):
headers.update({"CSRFToken": "123456"})
request = pretend.stub(
headers=headers,
method=method,
scheme=scheme,
host_url="https://a.example.com/",
session=pretend.stub(
get_scoped_csrf_token=pretend.call_recorder(
lambda scope: "123456"
),
get_csrf_token=pretend.call_recorder(lambda: "123456"),
),
POST={},
)
request._process_csrf = True
request._csrf_scope = scope
csrf._check_csrf(request)
if scope is not None:
assert request.session.get_scoped_csrf_token.calls == [
pretend.call(scope),
]
assert request.session.get_csrf_token.calls == []
else:
assert request.session.get_csrf_token.calls == [pretend.call()]
assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_via_header(self, method, headers, scheme, scope):
headers.update({"CSRFToken": "123456"})
request = pretend.stub(
headers=headers,
method=method,
scheme=scheme,
host_url="https://a.example.com/",
session=pretend.stub(
get_scoped_csrf_token=pretend.call_recorder(
lambda scope: "123456"),
get_csrf_token=pretend.call_recorder(lambda: "123456"),
),
POST={},
)
request._process_csrf = True
request._csrf_scope = scope
csrf._check_csrf(request)
if scope is not None:
assert request.session.get_scoped_csrf_token.calls == [
pretend.call(scope),
]
assert request.session.get_csrf_token.calls == []
else:
assert request.session.get_csrf_token.calls == [pretend.call()]
assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_wrong_token(self, method, headers, post, scheme,
scope):
request = pretend.stub(
headers=headers,
method=method,
scheme=scheme,
host_url="https://a.example.com/",
session=pretend.stub(
get_scoped_csrf_token=pretend.call_recorder(
lambda scope: "123456"),
get_csrf_token=pretend.call_recorder(lambda: "123456"),
),
POST=post,
)
request._process_csrf = True
request._csrf_scope = scope
with pytest.raises(csrf.InvalidCSRF) as exc:
csrf._check_csrf(request)
assert exc.value.args[0] == csrf.REASON_BAD_TOKEN
if scope is not None:
assert request.session.get_scoped_csrf_token.calls == [
pretend.call(scope),
]
assert request.session.get_csrf_token.calls == []
else:
assert request.session.get_csrf_token.calls == [pretend.call()]
assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_https_no_origin(self, method):
request = pretend.stub(headers={}, method=method, scheme="https")
request._process_csrf = True
with pytest.raises(csrf.InvalidCSRF) as exc:
csrf._check_csrf(request)
assert exc.value.args[0] == csrf.REASON_NO_ORIGIN
def test_unsafe_method_https_no_origin(self, method):
request = pretend.stub(headers={}, method=method, scheme="https")
request._process_csrf = True
with pytest.raises(csrf.InvalidCSRF) as exc:
csrf._check_csrf(request)
assert exc.value.args[0] == csrf.REASON_NO_ORIGIN
def test_unsafe_method_no_process(self, method):
request = pretend.stub(method=method)
with pytest.raises(HTTPMethodNotAllowed):
csrf._check_csrf(request)
request = pretend.stub(method=method)
request._process_csrf = None
with pytest.raises(HTTPMethodNotAllowed):
csrf._check_csrf(request)
def test_unsafe_method_no_process(self, method):
request = pretend.stub(method=method)
with pytest.raises(HTTPMethodNotAllowed):
csrf._check_csrf(request)
request = pretend.stub(method=method)
request._process_csrf = None
with pytest.raises(HTTPMethodNotAllowed):
csrf._check_csrf(request)
def test_unsafe_method_https_origin_invalid(self, method, headers):
request = pretend.stub(
headers=headers,
method=method,
scheme="https",
host_url="https://a.example.com/",
)
request._process_csrf = True
with pytest.raises(csrf.InvalidCSRF) as exc:
csrf._check_csrf(request)
origin = request.headers.get("Origin", request.headers.get("Referer"))
assert exc.value.args[0] == csrf.REASON_BAD_ORIGIN.format(
origin,
request.host_url,
)
def test_unsafe_method_https_origin_invalid(self, method, headers):
request = pretend.stub(
headers=headers,
method=method,
scheme="https",
host_url="https://a.example.com/",
)
request._process_csrf = True
with pytest.raises(csrf.InvalidCSRF) as exc:
csrf._check_csrf(request)
origin = request.headers.get("Origin", request.headers.get("Referer"))
assert exc.value.args[0] == csrf.REASON_BAD_ORIGIN.format(
origin,
request.host_url,
)
def test_safe_method(self, method):
request = pretend.stub(method=method)
csrf._check_csrf(request)
def test_safe_method(self, method):
request = pretend.stub(method=method)
csrf._check_csrf(request)
