def test_403_csrf_exception(self): self.c = self.client_class(enforce_csrf_checks=True) for accept_type in self.ACCEPT_TYPES: resp = self.post(self.ISSUE_API_URL, {}, headers={'HTTP_ACCEPT': accept_type, 'CONTENT_TYPE': 'application/json'}) assert_in(accept_type, resp['Content-Type']) assert_http_forbidden(resp)
def test_response_sensitive_data_body_in_json_should_be_hidden(self): responses.add(responses.POST, 'http://test.cz', body='test') requests.post('http://test.cz', data=json.dumps({'password': '******'})) output_logged_requst = OutputLoggedRequest.objects.get() assert_in('"password": "******"', output_logged_requst.request_body) assert_not_in('"password": "******"', output_logged_requst.request_body) assert_in('"password": "******"', responses.calls[0].request.body) assert_not_in('"password": "******"', responses.calls[0].request.body)
def test_enum_with_distinct_key_and_value_should_contain_only_defined_values(self): enum = Enum( ('A', 'c'), ('B', 'd') ) assert_equal(enum.A, 'c') assert_equal(enum.B, 'd') assert_equal(list(enum), ['c', 'd']) assert_equal(enum.all, ('c', 'd')) assert_equal(enum.get_name('c'), 'A') with assert_raises(AttributeError): enum.C # pylint: disable=W0104 assert_is_none(enum.get_name('f')) assert_in('c', enum) assert_in(enum.A, enum) assert_not_in('A', enum)
def test_enum_should_contain_only_defined_values(self): enum = Enum( 'A', 'B' ) assert_equal(enum.A, 'A') assert_equal(enum.B, 'B') assert_equal(list(enum), ['A', 'B']) assert_equal(enum.all, ('A', 'B')) assert_equal(enum.get_name('A'), 'A') with assert_raises(AttributeError): enum.C # pylint: disable=W0104 assert_is_none(enum.get_name('C')) assert_in('A', enum) assert_in(enum.A, enum) assert_not_in('C', enum)
def test_auto_gemerated_num_enum_should_contain_only_defined_values(self): enum = NumEnum( 'A', 'B' ) assert_equal(enum.A, 1) assert_equal(enum.B, 2) assert_equal(list(enum), [1, 2]) assert_equal(enum.all, (1, 2)) assert_equal(enum.get_name(1), 'A') with assert_raises(AttributeError): enum.C # pylint: disable=W0104 assert_is_none(enum.get_name(3)) assert_in(1, enum) assert_in(enum.A, enum) assert_not_in('A', enum)
def test_token_should_be_updated_during_its_access(self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) token = resp.json()['token'] resp = self.get( self.INDEX_URL, headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)}) assert_in('X-Authorization-Expiration', resp) assert_true(resp['X-Authorization-Expiration'].startswith('0:59')) with freeze_time(timezone.now() + timedelta(minutes=10), tick=True): resp = self.get( self.INDEX_URL, headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)}) assert_in('X-Authorization-Expiration', resp) assert_true(resp['X-Authorization-Expiration'].startswith('0:59'))
def test_user_should_be_authorized_with_changed_header_name(self, user): resp = self.post(self.API_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_ok(resp) assert_in('token', resp.json()) assert_http_ok( self.get(self.INDEX_URL, headers={ 'HTTP_X_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) assert_http_redirect( self.get(self.INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) }))
def test_user_should_be_authorized_from_token_and_uuid(self, user): device_token = DeviceKey.objects.get_or_create_token(uuid=UUID, user=user)[0] resp = self.post(self.API_MOBILE_LOGIN_URL, { 'uuid': UUID, 'login_device_token': device_token }) assert_http_ok(resp) assert_in('token', resp.json()) assert_http_ok( self.get(INDEX_URL, headers={ 'HTTP_AUTHORIZATION': 'Bearer {}'.format(resp.json()['token']) })) assert_not_in('Authorization', self.c.cookies) assert_true(Token.objects.last().allowed_header) assert_false(Token.objects.last().allowed_cookie)
def test_user_should_not_be_logged_in_two_factor_for_invalid_code( self, user): login_resp = self.post(self.UI_TWO_FACTOR_LOGIN_URL, { 'username': '******', 'password': '******' }) assert_http_redirect(login_resp) # the code value needs to be overwritten, so that its value could be used for next request login_resp.wsgi_request.token.two_factor_code = make_password( '12345', salt=Token.TWO_FACTOR_CODE_SALT) login_resp.wsgi_request.token.save() code_check_resp = self.post(self.UI_CODE_CHECK_LOGIN_URL, {'code': 'other_code'}) assert_http_ok(code_check_resp) assert_in( _('The inserted value does not correspond to the sent code.'), code_check_resp._container[0].decode('utf8')) assert_false(code_check_resp.wsgi_request.token.is_authenticated)
def test_401_exception(self): for accept_type in self.ACCEPT_TYPES: resp = self.get(self.ISSUE_API_URL, headers={'HTTP_ACCEPT': accept_type}) assert_in(accept_type, resp['Content-Type']) assert_http_unauthorized(resp)
def test_404_exception(self): for accept_type in self.ACCEPT_TYPES: resp = self.get('%s%s/' % (self.ISSUE_API_URL, 5), headers={'HTTP_ACCEPT': accept_type}) assert_in(accept_type, resp['Content-Type']) assert_http_not_found(resp)
def test_403_exception(self): self.get_user_obj() for accept_type in self.ACCEPT_TYPES: resp = self.post(self.USER_API_URL, headers={'HTTP_ACCEPT': accept_type}, data={}) assert_in(accept_type, resp['Content-Type']) assert_http_forbidden(resp)
def test_superuser_should_read_is_superuser_field(self): user = self.logged_user.user resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk)) assert_in(b'is_superuser', resp.content)
def test_sensitive_data_body_in_json_should_be_hidden(self): self.c.post('/admin/login/', data=json.dumps({'username': '******', 'password': '******'}), content_type='application/json') input_logged_request = InputLoggedRequest.objects.get() assert_in('"password": "******"', input_logged_request.request_body) assert_not_in('"password": "******"', input_logged_request.request_body)
def test_superuser_may_read_users_grid(self): resp = self.get(self.ISSUE_UI_URL) assert_in(b'data-col="watched_by_string"', resp.content)
def test_every_output_request_has_data_for_stdout_logging(self, func): requests.get('http://test.cz') assert_true(func.called) func_args = func.call_args.args[0] if sys.version_info >= ( 3, 8) else func.call_args_list[0][0][0] # data assert_in('request_timestamp', func_args) assert_in('response_timestamp', func_args) assert_in('response_time', func_args) assert_in('response_code', func_args) assert_in('host', func_args) assert_in('path', func_args) assert_in('method', func_args) assert_in('slug', func_args)
def test_sensitive_data_body_in_raw_form_should_be_hidden(self): self.post('/admin/login/', data={'username': '******', 'password': '******'}) input_logged_request = InputLoggedRequest.objects.get() assert_in('[Filtered]', input_logged_request.request_body)
def test_403_exception(self): user = self.get_user_obj() for accept_type in self.ACCEPT_TYPES: resp = self.get('%s%s/' % (self.USER_API_URL, user.pk), headers={'HTTP_ACCEPT': accept_type}) assert_in(accept_type, resp['Content-Type']) assert_http_forbidden(resp)
def test_sensitive_data_body_in_raw_form_should_be_hidden(self): with capture_security_logs() as logged_data: self.post('/admin/login/', data={'username': '******', 'password': '******'}) assert_in('[Filtered]', logged_data.input_request[0].request_body)