def test_get_totp_secret_empty(self, monkeypatch):
generate_totp_secret = pretend.call_recorder(lambda: b"foobar")
monkeypatch.setattr(otp, "generate_totp_secret", generate_totp_secret)
session = Session()
assert session.get_totp_secret() == b"foobar"
assert session._totp_secret_key in session
def test_scoped_csrf_token(self):
session = Session(session_id="my session id")
session.get_csrf_token = pretend.call_recorder(lambda: "123456")
assert session.get_scoped_csrf_token("myscope") == (
"cdcecc5069f543c8fa99c5ebf0fff014e63b7f618ad789e167b5148c4a81b2d0"
"02c321a48c611ab34ef6d7f539d5196fa80b05f161586ee8d0eee31808cf3b38")
assert session.get_csrf_token.calls == [pretend.call()]
def test_get_webauthn_challenge_empty(self, monkeypatch):
generate_webauthn_challenge = pretend.call_recorder(
lambda: "not_a_real_challenge")
monkeypatch.setattr(webauthn, "generate_webauthn_challenge",
generate_webauthn_challenge)
session = Session()
assert session.get_webauthn_challenge() == "not_a_real_challenge"
assert session._webauthn_challenge_key in session
def test_scoped_csrf_token(self):
session = Session(session_id="my session id")
session.get_csrf_token = pretend.call_recorder(lambda: "123456")
assert session.get_scoped_csrf_token("myscope") == (
"cdcecc5069f543c8fa99c5ebf0fff014e63b7f618ad789e167b5148c4a81b2d0"
"02c321a48c611ab34ef6d7f539d5196fa80b05f161586ee8d0eee31808cf3b38"
)
assert session.get_csrf_token.calls == [pretend.call()]
def test_csrf_token(self, monkeypatch):
tokens = iter(["123456", "7890"])
monkeypatch.setattr(crypto, "random_token", lambda: next(tokens))
session = Session()
assert session._csrf_token_key not in session
assert session.new_csrf_token() == "123456"
assert session._csrf_token_key in session
assert session.get_csrf_token() == "123456"
assert session.new_csrf_token() == "7890"
assert session._csrf_token_key in session
assert session.get_csrf_token() == "7890"
def test_csrf_token(self, monkeypatch):
tokens = iter(["123456", "7890"])
monkeypatch.setattr(crypto, "random_token", lambda: next(tokens))
session = Session()
assert not session.has_csrf_token()
assert session.new_csrf_token() == "123456"
assert session.has_csrf_token()
assert session.get_csrf_token() == "123456"
assert session.new_csrf_token() == "7890"
assert session.has_csrf_token()
assert session.get_csrf_token() == "7890"
def test_create_with_session_id(self, monkeypatch, data, expected, new):
monkeypatch.setattr(time, "time", lambda: 100)
session = Session(data, "wat", new)
assert session == expected
assert session.sid == "wat"
assert session.new is new
assert session.created == 100
assert not session.invalidated
def test_create_new(self, monkeypatch, data, expected):
monkeypatch.setattr(time, "time", lambda: 100)
monkeypatch.setattr(crypto, "random_token", lambda: "123456")
session = Session(data)
assert session == expected
assert session.sid == "123456"
assert session.new
assert session.created == 100
assert not session.invalidated
def test_cycle(self):
store = RedisSessionStore(pretend.stub())
store.delete = pretend.call_recorder(lambda session: None)
old_session = Session({"user.csrf": "ok"}, "123456", False)
new_session = store.cycle(old_session)
assert store.delete.calls == [pretend.call(old_session)]
assert new_session == old_session
assert new_session.new
assert new_session.sid != old_session.sid
def test_user_logout_get(app):
request = pretend.stub(
method="GET",
values={},
_session=Session({"user.id": 1}, "1234", False),
)
resp = logout(app, request)
assert resp.status_code == 200
assert resp.response.template.name == "accounts/logout.html"
assert resp.response.context == {"next": None}
def test_record_password_timestamp(self):
session = Session()
assert not session.should_save()
session.record_password_timestamp(1646230636)
assert session[session._password_timestamp_key] == 1646230636
assert session.should_save()
def test_cycle_session(self):
def fn(self, view, app, request, *args, **kwargs):
return view(app, request, *args, **kwargs)
def view(app, request):
request._session.cycle()
return Response()
app = pretend.stub(session_store=FakeSessionStore())
request = pretend.stub(cookies={"session_id": "abcd"}, is_secure=False)
handle_session(fn)(pretend.stub(), view, app, request)
assert app.session_store.cycled == [Session({}, "abcd", False)]
def test_invalidate(self, monkeypatch):
session_ids = iter(["123456", "7890"])
monkeypatch.setattr(crypto, "random_token", lambda: next(session_ids))
session = Session({"foo": "bar"}, "original id", False)
assert session == {"foo": "bar"}
assert session.sid == "original id"
assert not session.new
assert not session.invalidated
session.invalidate()
assert session == {}
assert session.sid == "123456"
assert session.new
assert session.invalidated == {"original id"}
session.invalidate()
assert session == {}
assert session.sid == "7890"
assert session.new
assert session.invalidated == {"original id", "123456"}
def test_save(self):
store = RedisSessionStore(
pretend.stub(
setex=pretend.call_recorder(lambda key, ttl, data: None),
),
)
session = Session({"user.csrf": "wat"}, "EUmoN", False)
store.save(session)
assert store.redis.setex.calls == [
pretend.call(
"warehouse/session/data/EUmoN",
12 * 60 * 60,
b"\x81\xa9user.csrf\xa3wat",
),
]
def test_user_login_get(app):
app.db = pretend.stub(accounts=pretend.stub(
user_authenticate=pretend.stub(), ), )
request = pretend.stub(
method="GET",
form=MultiDict(),
values={},
_session=Session({}, "1234", False),
)
resp = login(app, request)
assert resp.status_code == 200
assert resp.response.context == {
"form": mock.ANY,
"next": None,
}
def test_user_logout_post(values, location):
app = pretend.stub(config=pretend.stub())
request = pretend.stub(
method="POST",
host="example.com",
values=values,
url_adapter=pretend.stub(build=lambda *a, **kw: "/",
),
_session=Session({"user.id": 1}, "1234", False),
)
resp = logout(app, request)
assert resp.status_code == 303
assert resp.headers["Location"] == location
assert resp.headers.getlist("Set-Cookie") == [
"username=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/",
]
assert request._session.deleted
def test_existing_session(self):
def fn(self, view, app, request, *args, **kwargs):
return view(app, request, *args, **kwargs)
def view(app, request):
request._session["wat"] = "ok"
return Response()
app = pretend.stub(session_store=FakeSessionStore())
request = pretend.stub(cookies={"session_id": "abcd"}, is_secure=False)
response = handle_session(fn)(pretend.stub(), view, app, request)
assert app.session_store.saved == [
Session({"wat": "ok"}, "abcd", False),
]
assert response.headers.getlist("Set-Cookie") == [
"session_id=abcd; HttpOnly; Path=/",
]
def test_delete_session(self):
def fn(self, view, app, request, *args, **kwargs):
return view(app, request, *args, **kwargs)
def view(app, request):
request._session.delete()
return Response()
app = pretend.stub(session_store=FakeSessionStore())
request = pretend.stub(cookies={"session_id": "abcd"}, is_secure=False)
response = handle_session(fn)(pretend.stub(), view, app, request)
assert app.session_store.deleted == [
Session({}, "abcd", False),
]
assert response.headers.getlist("Set-Cookie") == [
"session_id=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; "
"Path=/",
]
def test_valid_session(self, monkeypatch):
add_vary_cb = pretend.call_recorder(lambda fn: fn)
add_vary = pretend.call_recorder(lambda vary: add_vary_cb)
monkeypatch.setattr(warehouse.sessions, "add_vary", add_vary)
context = pretend.stub()
request = pretend.stub(session=Session())
response = pretend.stub()
@pretend.call_recorder
def view(context, request):
assert isinstance(request.session, Session)
return response
info = pretend.stub(options={"uses_session": True})
derived_view = session_view(view, info)
assert derived_view(context, request) is response
assert view.calls == [pretend.call(context, request)]
assert add_vary.calls == [pretend.call("Cookie")]
assert add_vary_cb.calls == [pretend.call(view)]
def test_non_session_view(self, monkeypatch):
class FakeMapper:
def __call__(self, view):
return view
mapper = session_mapper_factory(FakeMapper)()
context = pretend.stub()
request = pretend.stub(session=Session())
session = request.session
@pretend.call_recorder
def view(context, request):
assert request.session is not session
assert isinstance(request.session, InvalidSession)
wrapped = mapper(view)
wrapped(context, request)
assert view.calls == [pretend.call(context, request)]
assert isinstance(request.session, InvalidSession)
def test_user_login_post_valid(app, form, values, session, location):
app.db = pretend.stub(accounts=pretend.stub(
get_user_id=lambda username: 9001,
user_authenticate=lambda user, password: True,
), )
request = pretend.stub(
method="POST",
form=MultiDict(form),
host="example.com",
values=values,
url_adapter=pretend.stub(build=lambda *a, **kw: "/",
),
_session=Session(session, "1234", False),
)
resp = login(app, request)
assert request.session["user.id"] == 9001
assert resp.status_code == 303
assert resp.headers["Location"] == location
assert resp.headers.getlist("Set-Cookie") == ["username=test; Path=/"]
def test_invalidate(self, monkeypatch):
session_ids = iter(["123456", "7890"])
monkeypatch.setattr(crypto, "random_token", lambda: next(session_ids))
session = Session({"foo": "bar"}, "original id", False)
assert session == {"foo": "bar"}
assert session.sid == "original id"
assert not session.new
assert not session.invalidated
session.invalidate()
assert session == {}
assert session.sid == "123456"
assert session.new
assert session.invalidated == {"original id"}
session.invalidate()
assert session == {}
assert session.sid == "7890"
assert session.new
assert session.invalidated == {"original id", "123456"}
def test_flash_messages(self):
session = Session()
assert session.peek_flash() == []
assert session.peek_flash(queue="foo") == []
assert session.pop_flash() == []
assert session.pop_flash(queue="foo") == []
session.flash("A Flash Message")
assert session.peek_flash() == ["A Flash Message"]
assert session.peek_flash(queue="foo") == []
session.flash("Another Flash Message", queue="foo")
assert session.peek_flash() == ["A Flash Message"]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
session.flash("A Flash Message")
assert session.peek_flash() == ["A Flash Message", "A Flash Message"]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
session.flash("A Flash Message", allow_duplicate=True)
assert session.peek_flash() == [
"A Flash Message",
"A Flash Message",
"A Flash Message",
]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
session.flash("A Flash Message", allow_duplicate=False)
assert session.peek_flash() == [
"A Flash Message",
"A Flash Message",
"A Flash Message",
]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
assert session.pop_flash() == [
"A Flash Message",
"A Flash Message",
"A Flash Message",
]
assert session.pop_flash(queue="foo") == ["Another Flash Message"]
assert session.peek_flash() == []
assert session.peek_flash(queue="foo") == []
assert session.pop_flash() == []
assert session.pop_flash(queue="foo") == []
def test_generate_flash_key(self, queue, expected):
session = Session()
assert session._get_flash_queue_key(queue) == expected
def test_methods_call_changed(self, data, method, args):
session = Session(data)
session.changed = pretend.call_recorder(lambda: None)
getattr(session, method)(*args)
assert session.changed.calls == [pretend.call()]
def test_should_save(self):
session = Session()
assert not session.should_save()
session.changed()
assert session.should_save()
def test_password_outdated(self, stored, current, expected):
session = Session()
session.record_password_timestamp(stored)
assert session.password_outdated(current) == expected
def test_changed_marks_as_changed(self):
session = Session()
assert not session._changed
session.changed()
assert session._changed
def test_clear_webauthn_challenge(self):
session = Session()
session[session._webauthn_challenge_key] = "not_a_real_challenge"
session.clear_webauthn_challenge()
assert not session[session._webauthn_challenge_key]
def test_get_csrf_token_empty(self):
session = Session()
session.new_csrf_token = pretend.call_recorder(lambda: "123456")
assert session.get_csrf_token() == "123456"
assert session.new_csrf_token.calls == [pretend.call()]
def test_cycle(self):
session = Session({}, "123456", False)
assert not session.cycled
session.cycle()
assert session.cycled
def test_flash_messages(self):
session = Session()
assert session.peek_flash() == []
assert session.peek_flash(queue="foo") == []
assert session.pop_flash() == []
assert session.pop_flash(queue="foo") == []
session.flash("A Flash Message")
assert session.peek_flash() == ["A Flash Message"]
assert session.peek_flash(queue="foo") == []
session.flash("Another Flash Message", queue="foo")
assert session.peek_flash() == ["A Flash Message"]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
session.flash("A Flash Message")
assert session.peek_flash() == ["A Flash Message", "A Flash Message"]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
session.flash("A Flash Message", allow_duplicate=True)
assert session.peek_flash() == [
"A Flash Message",
"A Flash Message",
"A Flash Message",
]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
session.flash("A Flash Message", allow_duplicate=False)
assert session.peek_flash() == [
"A Flash Message",
"A Flash Message",
"A Flash Message",
]
assert session.peek_flash(queue="foo") == ["Another Flash Message"]
assert session.pop_flash() == [
"A Flash Message",
"A Flash Message",
"A Flash Message",
]
assert session.pop_flash(queue="foo") == ["Another Flash Message"]
assert session.peek_flash() == []
assert session.peek_flash(queue="foo") == []
assert session.pop_flash() == []
assert session.pop_flash(queue="foo") == []
def test_generate_flash_key(self, queue, expected):
session = Session()
assert session._get_flash_queue_key(queue) == expected
def test_methods_call_changed(self, data, method, args):
session = Session(data)
session.changed = pretend.call_recorder(lambda: None)
getattr(session, method)(*args)
assert session.changed.calls == [pretend.call()]
def test_should_save(self):
session = Session()
assert not session.should_save()
session.changed()
assert session.should_save()
def test_get_csrf_token_empty(self):
session = Session()
session.new_csrf_token = pretend.call_recorder(lambda: "123456")
assert session.get_csrf_token() == "123456"
assert session.new_csrf_token.calls == [pretend.call()]
def test_get_totp_secret(self, monkeypatch):
session = Session()
session[session._totp_secret_key] = b"foobar"
assert session.get_totp_secret() == b"foobar"
def test_changed_marks_as_changed(self):
session = Session()
assert not session._changed
session.changed()
assert session._changed
def test_clear_totp_secret(self):
session = Session()
session[session._totp_secret_key] = b"foobar"
session.clear_totp_secret()
assert not session[session._totp_secret_key]
def test_invalidate_empty(self):
session = Session({"foo": "bar"})
session.invalidate()
assert session == {}
assert session.invalidated == set()
def test_invalidate_empty(self):
session = Session({"foo": "bar"})
session.invalidate()
assert session == {}
assert session.invalidated == set()
def test_delete(self):
session = Session({}, "123456", False)
assert not session.deleted
session.delete()
assert session.deleted