def test_call_jsonp():
"""
test that we can get some stuff as JSONP
"""
tiddler = Tiddler('public')
tiddler.bag = 'foo_public'
tiddler.text = 'some text'
store.put(tiddler)
user_cookie = get_auth('foo', 'foobar')
callback = 'callback'
response, content = http.request('http://foo.0.0.0.0:8080/bags/'
'foo_public/tiddlers/public?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '200'
assert content.startswith('%s(' % callback)
assert content[-1:] == ')'
response, content = http.request('http://0.0.0.0:8080/bags/'
'foo_public/tiddlers/public?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '200'
assert content.startswith('%s(' % callback)
assert content[-1:] == ')'
def test_cookie_set():
"""
test that we get a cookie relating to the space we are in
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
user_cookie = get_auth('foo', 'foobar')
response, _ = http.request(
'http://foo.0.0.0.0:8080/status',
method='GET',
headers={'Cookie': 'tiddlyweb_user="******"' % user_cookie})
assert response['status'] == '200'
time = datetime.now().strftime('%Y%m%d%H')
cookie = 'csrf_token=%s:%s:%s' % (
time, user.usersign,
sha('%s:%s:%s:%s' %
(user.usersign, time, space, config['secret'])).hexdigest())
assert response['set-cookie'] == cookie
def test_no_cookie_sent():
"""
Test no cookie is sent if one is already present
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
user_cookie = get_auth('foo', 'foobar')
time = datetime.now().strftime('%Y%m%d%H')
cookie = 'csrf_token=%s:%s:%s' % (
time, user.usersign,
sha('%s:%s:%s:%s' %
(user.usersign, time, space, config['secret'])).hexdigest())
response, _ = http.request(
'http://foo.0.0.0.0:8080/status',
method='GET',
headers={'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, cookie)})
cookie = response.get('set-cookie')
if cookie:
assert 'csrf_token' not in cookie
def test_no_cookie_sent():
"""
Test no cookie is sent if one is already present
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
user_cookie = get_auth('foo', 'foobar')
time = datetime.now().strftime('%Y%m%d%H')
cookie = 'csrf_token=%s:%s:%s' % (time, user.usersign,
sha('%s:%s:%s:%s' % (user.usersign,
time, space, config['secret'])).hexdigest())
response, _ = http.request('http://foo.0.0.0.0:8080/status',
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, cookie)
})
cookie = response.get('set-cookie')
if cookie:
assert 'csrf_token' not in cookie
def test_cookie_set():
"""
test that we get a cookie relating to the space we are in
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
user_cookie = get_auth('foo', 'foobar')
response, content = http.request('http://foo.0.0.0.0:8080/status',
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie
})
assert response['status'] == '200', content
time = datetime.now().strftime('%Y%m%d%H')
cookie = 'csrf_token=%s:%s:%s' % (time, user.usersign,
sha('%s:%s:%s:%s' % (user.usersign,
time, space, config['secret'])).hexdigest())
assert response['set-cookie'] == cookie
def test_invalid_cookie():
"""
Test that an invalid/old cookie causes a new cookie to be sent
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
user_cookie = get_auth('foo', 'foobar')
time = datetime.now() - timedelta(hours=3)
time = time.strftime('%Y%m%d%H')
cookie = 'csrf_token=%s:%s:%s' % (time, user.usersign,
sha('%s:%s:%s:%s' % (user.usersign,
time, space, config['secret'])).hexdigest())
response, _ = http.request('http://foo.0.0.0.0:8080/status',
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, cookie)
})
assert 'csrf_token' in response['set-cookie']
cookie = 'csrf_token=adiudh9389wefnf98'
response, _ = http.request('http://foo.0.0.0.0:8080/status',
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, cookie)
})
assert 'csrf_token' in response['set-cookie']
user2 = User('bar')
user2.set_password('foobar')
store.put(user2)
user2_cookie = get_auth('bar', 'foobar')
response, _ = http.request('http://foo.0.0.0.0:8080/status',
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"; %s' % (user2_cookie, cookie)
})
assert 'csrf_token' in response.get('set-cookie', '')
def test_invalid_cookie():
"""
Test that an invalid/old cookie causes a new cookie to be sent
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
user_cookie = get_auth('foo', 'foobar')
time = datetime.now() - timedelta(hours=3)
time = time.strftime('%Y%m%d%H')
cookie = 'csrf_token=%s:%s:%s' % (
time, user.usersign,
sha('%s:%s:%s:%s' %
(user.usersign, time, space, config['secret'])).hexdigest())
response, _ = http.request(
'http://foo.0.0.0.0:8080/status',
method='GET',
headers={'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, cookie)})
assert 'csrf_token' in response['set-cookie']
cookie = 'csrf_token=adiudh9389wefnf98'
response, _ = http.request(
'http://foo.0.0.0.0:8080/status',
method='GET',
headers={'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, cookie)})
assert 'csrf_token' in response['set-cookie']
user2 = User('bar')
user2.set_password('foobar')
store.put(user2)
user2_cookie = get_auth('bar', 'foobar')
response, _ = http.request(
'http://foo.0.0.0.0:8080/status',
method='GET',
headers={'Cookie': 'tiddlyweb_user="******"; %s' % (user2_cookie, cookie)})
assert 'csrf_token' in response.get('set-cookie', '')
def test_post_data_multipart_form():
"""
test that a form POST requires a nonce
test using multipart/form-data
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
timestamp = datetime.now().strftime('%Y%m%d%H')
secret = config['secret']
nonce = '%s:%s:%s' % (
timestamp, user.usersign,
sha('%s:%s:%s:%s' %
(user.usersign, timestamp, space, secret)).hexdigest())
user_cookie = get_auth('foo', 'foobar')
csrf_token = 'csrf_token=%s' % nonce
data = '''---------------------------168072824752491622650073
Content-Disposition: form-data; name="title"
foobar
---------------------------168072824752491622650073
Content-Disposition: form-data; name="text"
Hello World
---------------------------168072824752491622650073--'''
#test success
uri = 'http://foo.0.0.0.0:8080/bags/foo_public/tiddlers?%s' % csrf_token
response, content = http.request(uri,
method='POST',
headers={
'Content-Type': 'multipart/form-data; ' \
'boundary=---------------------------168072824752491622650073',
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Content-Length': '390'
},
body=data)
print content
assert response['status'] == '204'
#test failure
response, _ = http.request('http://foo.0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-Type': 'multipart/form-data; ' \
'boundary=---------------------------168072824752491622650073',
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Content-Length': '267'
},
body=data)
assert response['status'] == '400'
def test_post_data_multipart_form():
"""
test that a form POST requires a nonce
test using multipart/form-data
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
timestamp = datetime.now().strftime('%Y%m%d%H')
secret = config['secret']
nonce = '%s:%s:%s' % (timestamp, user.usersign,
sha('%s:%s:%s:%s' % (user.usersign, timestamp, space, secret)).
hexdigest())
user_cookie = get_auth('foo', 'foobar')
csrf_token = 'csrf_token=%s' % nonce
data = '''---------------------------168072824752491622650073
Content-Disposition: form-data; name="title"
foobar
---------------------------168072824752491622650073
Content-Disposition: form-data; name="text"
Hello World
---------------------------168072824752491622650073--'''
#test success
uri = 'http://foo.0.0.0.0:8080/bags/foo_public/tiddlers?%s' % csrf_token
response, content = http.request(uri,
method='POST',
headers={
'Content-Type': 'multipart/form-data; ' \
'boundary=---------------------------168072824752491622650073',
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Content-Length': '390'
},
body=data)
print content
assert response['status'] == '204'
#test failure
response, _ = http.request('http://foo.0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-Type': 'multipart/form-data; ' \
'boundary=---------------------------168072824752491622650073',
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Content-Length': '267'
},
body=data)
assert response['status'] == '400'
def test_post_data_form_urlencoded():
"""
test that a form POST requires a nonce
test using application/x-www-form-urlencoded
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
timestamp = datetime.now().strftime('%Y%m%d%H')
secret = config['secret']
nonce = '%s:%s:%s' % (
timestamp, user.usersign,
sha('%s:%s:%s:%s' %
(user.usersign, timestamp, space, secret)).hexdigest())
user_cookie = get_auth('foo', 'foobar')
csrf_token = 'csrf_token="%s"' % nonce
data = 'title=foobar&text=hello%20world'
#test success
response, _ = http.request(
'http://foo.0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-type': 'application/x-www-form-urlencoded',
'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, csrf_token)
},
body='%s&csrf_token=%s' % (data, nonce))
assert response['status'] == '204'
#test failure
response, _ = http.request('http://0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-type':
'application/x-www-form-urlencoded',
'Cookie':
'tiddlyweb_user="******"' % user_cookie
},
body='%s' % data)
assert response['status'] == '400'
def test_nonce_not_left_over():
"""
Test that the nonce is not left over in the tiddler after a POST
i.e. check that it is removed before the request continues
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
timestamp = datetime.now().strftime('%Y%m%d%H')
secret = config['secret']
nonce = '%s:%s:%s' % (
timestamp, user.usersign,
sha('%s:%s:%s:%s' %
(user.usersign, timestamp, space, secret)).hexdigest())
user_cookie = get_auth('foo', 'foobar')
csrf_token = 'csrf_token=%s' % nonce
data = 'title=foobar&text=hello%20world&extra_field=baz'
#test success
response, _ = http.request(
'http://foo.0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-type': 'application/x-www-form-urlencoded',
'Cookie': 'tiddlyweb_user="******"' % user_cookie
},
body='%s&csrf_token=%s' % (data, nonce))
assert response['status'] == '204'
new_tiddler = Tiddler('foobar')
new_tiddler.bag = 'foo_public'
new_tiddler = store.get(new_tiddler)
assert new_tiddler.title == 'foobar'
assert new_tiddler.text == 'hello world'
assert new_tiddler.fields.get('extra_field') == 'baz'
assert new_tiddler.fields.get('nonce') == None
def test_post_data_form_urlencoded():
"""
test that a form POST requires a nonce
test using application/x-www-form-urlencoded
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
timestamp = datetime.now().strftime('%Y%m%d%H')
secret = config['secret']
nonce = '%s:%s:%s' % (timestamp, user.usersign,
sha('%s:%s:%s:%s' % (user.usersign, timestamp, space, secret)).
hexdigest())
user_cookie = get_auth('foo', 'foobar')
csrf_token = 'csrf_token="%s"' % nonce
data = 'title=foobar&text=hello%20world'
#test success
response, _ = http.request('http://foo.0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-type': 'application/x-www-form-urlencoded',
'Cookie': 'tiddlyweb_user="******"; %s' % (user_cookie, csrf_token)
},
body='%s&csrf_token=%s' % (data, nonce))
assert response['status'] == '204'
#test failure
response, _ = http.request('http://0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-type': 'application/x-www-form-urlencoded',
'Cookie': 'tiddlyweb_user="******"' % user_cookie
},
body='%s' % data)
assert response['status'] == '400'
def test_nonce_not_left_over():
"""
Test that the nonce is not left over in the tiddler after a POST
i.e. check that it is removed before the request continues
"""
store = get_store(config)
space = 'foo'
make_fake_space(store, space)
user = User('foo')
user.set_password('foobar')
store.put(user)
timestamp = datetime.now().strftime('%Y%m%d%H')
secret = config['secret']
nonce = '%s:%s:%s' % (timestamp, user.usersign,
sha('%s:%s:%s:%s' % (user.usersign, timestamp, space, secret)).
hexdigest())
user_cookie = get_auth('foo', 'foobar')
csrf_token = 'csrf_token=%s' % nonce
data = 'title=foobar&text=hello%20world&extra_field=baz'
#test success
response, _ = http.request('http://foo.0.0.0.0:8080/bags/foo_public/tiddlers',
method='POST',
headers={
'Content-type': 'application/x-www-form-urlencoded',
'Cookie': 'tiddlyweb_user="******"' % user_cookie
},
body='%s&csrf_token=%s' % (data, nonce))
assert response['status'] == '204'
new_tiddler = Tiddler('foobar')
new_tiddler.bag = 'foo_public'
new_tiddler = store.get(new_tiddler)
assert new_tiddler.title == 'foobar'
assert new_tiddler.text == 'hello world'
assert new_tiddler.fields.get('extra_field') == 'baz'
assert new_tiddler.fields.get('nonce') == None
def test_drop_privs():
"""
test that privileges are dropped when jsonp is requested
so that we cannot get private data
"""
tiddler = Tiddler('private')
tiddler.bag = 'foo_private'
tiddler.text = 'some text'
store.put(tiddler)
user_cookie = get_auth('foo', 'foobar')
callback = 'callback'
response, _ = http.request('http://foo.0.0.0.0:8080/bags/'
'foo_private/tiddlers/private?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://foo.0.0.0.0:8080/recipes/'
'foo_private/tiddlers/private?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://foo.0.0.0.0:8080/bags/foo_private?'
'callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://foo.0.0.0.0:8080/recipes/foo_private?'
'callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://foo.0.0.0.0:8080/bags/foo_private/'
'tiddlers?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://foo.0.0.0.0:8080/recipes/foo_private/'
'tiddlers?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://foo.0.0.0.0:8080/bags/'
'foo_private/tiddlers/private',
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '200'
def test_no_subdomain():
"""
As it's JSONP, we need to protect the tiddlyspace.com domain as well
(and not just the subdomains).
This includes bags, recipes and search.
"""
tiddler = Tiddler('private')
tiddler.bag = 'foo_private'
tiddler.text = 'some text'
store.put(tiddler)
user_cookie = get_auth('foo', 'foobar')
callback = 'callback'
response, _ = http.request('http://0.0.0.0:8080/bags/'
'foo_private/tiddlers/private?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://0.0.0.0:8080/recipes/'
'foo_private/tiddlers/private?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://0.0.0.0:8080/bags/foo_private?'
'callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://0.0.0.0:8080/recipes/foo_private?'
'callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://0.0.0.0:8080/bags/foo_private/'
'tiddlers?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://0.0.0.0:8080/recipes/foo_private/'
'tiddlers?callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '401'
response, _ = http.request('http://0.0.0.0:8080/bags/'
'foo_private/tiddlers/private',
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '200'
response, content = http.request('http://0.0.0.0:8080/search'
'?q=bag:foo_private&callback=%s' % callback,
method='GET',
headers={
'Cookie': 'tiddlyweb_user="******"' % user_cookie,
'Accept': 'application/json'
})
assert response['status'] == '200'
assert content == 'callback([])'
