Exemple #1
0
    def test_get_totp_secret_empty(self, monkeypatch):
        generate_totp_secret = pretend.call_recorder(lambda: b"foobar")
        monkeypatch.setattr(otp, "generate_totp_secret", generate_totp_secret)

        session = Session()
        assert session.get_totp_secret() == b"foobar"
        assert session._totp_secret_key in session
Exemple #2
0
    def test_scoped_csrf_token(self):
        session = Session(session_id="my session id")
        session.get_csrf_token = pretend.call_recorder(lambda: "123456")

        assert session.get_scoped_csrf_token("myscope") == (
            "cdcecc5069f543c8fa99c5ebf0fff014e63b7f618ad789e167b5148c4a81b2d0"
            "02c321a48c611ab34ef6d7f539d5196fa80b05f161586ee8d0eee31808cf3b38")
        assert session.get_csrf_token.calls == [pretend.call()]
    def test_get_webauthn_challenge_empty(self, monkeypatch):
        generate_webauthn_challenge = pretend.call_recorder(
            lambda: "not_a_real_challenge")
        monkeypatch.setattr(webauthn, "generate_webauthn_challenge",
                            generate_webauthn_challenge)

        session = Session()
        assert session.get_webauthn_challenge() == "not_a_real_challenge"
        assert session._webauthn_challenge_key in session
    def test_scoped_csrf_token(self):
        session = Session(session_id="my session id")
        session.get_csrf_token = pretend.call_recorder(lambda: "123456")

        assert session.get_scoped_csrf_token("myscope") == (
            "cdcecc5069f543c8fa99c5ebf0fff014e63b7f618ad789e167b5148c4a81b2d0"
            "02c321a48c611ab34ef6d7f539d5196fa80b05f161586ee8d0eee31808cf3b38"
        )
        assert session.get_csrf_token.calls == [pretend.call()]
Exemple #5
0
    def test_csrf_token(self, monkeypatch):
        tokens = iter(["123456", "7890"])
        monkeypatch.setattr(crypto, "random_token", lambda: next(tokens))
        session = Session()

        assert session._csrf_token_key not in session
        assert session.new_csrf_token() == "123456"
        assert session._csrf_token_key in session
        assert session.get_csrf_token() == "123456"
        assert session.new_csrf_token() == "7890"
        assert session._csrf_token_key in session
        assert session.get_csrf_token() == "7890"
Exemple #6
0
    def test_csrf_token(self, monkeypatch):
        tokens = iter(["123456", "7890"])
        monkeypatch.setattr(crypto, "random_token", lambda: next(tokens))
        session = Session()

        assert not session.has_csrf_token()
        assert session.new_csrf_token() == "123456"
        assert session.has_csrf_token()
        assert session.get_csrf_token() == "123456"
        assert session.new_csrf_token() == "7890"
        assert session.has_csrf_token()
        assert session.get_csrf_token() == "7890"
Exemple #7
0
    def test_create_with_session_id(self, monkeypatch, data, expected, new):
        monkeypatch.setattr(time, "time", lambda: 100)
        session = Session(data, "wat", new)

        assert session == expected
        assert session.sid == "wat"
        assert session.new is new
        assert session.created == 100
        assert not session.invalidated
Exemple #8
0
    def test_create_new(self, monkeypatch, data, expected):
        monkeypatch.setattr(time, "time", lambda: 100)
        monkeypatch.setattr(crypto, "random_token", lambda: "123456")
        session = Session(data)

        assert session == expected
        assert session.sid == "123456"
        assert session.new
        assert session.created == 100
        assert not session.invalidated
    def test_cycle(self):
        store = RedisSessionStore(pretend.stub())
        store.delete = pretend.call_recorder(lambda session: None)

        old_session = Session({"user.csrf": "ok"}, "123456", False)
        new_session = store.cycle(old_session)

        assert store.delete.calls == [pretend.call(old_session)]
        assert new_session == old_session
        assert new_session.new
        assert new_session.sid != old_session.sid
Exemple #10
0
def test_user_logout_get(app):
    request = pretend.stub(
        method="GET",
        values={},
        _session=Session({"user.id": 1}, "1234", False),
    )

    resp = logout(app, request)

    assert resp.status_code == 200
    assert resp.response.template.name == "accounts/logout.html"
    assert resp.response.context == {"next": None}
    def test_record_password_timestamp(self):
        session = Session()
        assert not session.should_save()
        session.record_password_timestamp(1646230636)

        assert session[session._password_timestamp_key] == 1646230636
        assert session.should_save()
    def test_cycle_session(self):
        def fn(self, view, app, request, *args, **kwargs):
            return view(app, request, *args, **kwargs)

        def view(app, request):
            request._session.cycle()
            return Response()

        app = pretend.stub(session_store=FakeSessionStore())
        request = pretend.stub(cookies={"session_id": "abcd"}, is_secure=False)

        handle_session(fn)(pretend.stub(), view, app, request)

        assert app.session_store.cycled == [Session({}, "abcd", False)]
Exemple #13
0
    def test_invalidate(self, monkeypatch):
        session_ids = iter(["123456", "7890"])
        monkeypatch.setattr(crypto, "random_token", lambda: next(session_ids))
        session = Session({"foo": "bar"}, "original id", False)

        assert session == {"foo": "bar"}
        assert session.sid == "original id"
        assert not session.new
        assert not session.invalidated

        session.invalidate()

        assert session == {}
        assert session.sid == "123456"
        assert session.new
        assert session.invalidated == {"original id"}

        session.invalidate()

        assert session == {}
        assert session.sid == "7890"
        assert session.new
        assert session.invalidated == {"original id", "123456"}
    def test_save(self):
        store = RedisSessionStore(
            pretend.stub(
                setex=pretend.call_recorder(lambda key, ttl, data: None),
            ),
        )
        session = Session({"user.csrf": "wat"}, "EUmoN", False)
        store.save(session)

        assert store.redis.setex.calls == [
            pretend.call(
                "warehouse/session/data/EUmoN",
                12 * 60 * 60,
                b"\x81\xa9user.csrf\xa3wat",
            ),
        ]
Exemple #15
0
def test_user_login_get(app):
    app.db = pretend.stub(accounts=pretend.stub(
        user_authenticate=pretend.stub(), ), )

    request = pretend.stub(
        method="GET",
        form=MultiDict(),
        values={},
        _session=Session({}, "1234", False),
    )

    resp = login(app, request)

    assert resp.status_code == 200
    assert resp.response.context == {
        "form": mock.ANY,
        "next": None,
    }
Exemple #16
0
def test_user_logout_post(values, location):
    app = pretend.stub(config=pretend.stub())
    request = pretend.stub(
        method="POST",
        host="example.com",
        values=values,
        url_adapter=pretend.stub(build=lambda *a, **kw: "/",
                                 ),
        _session=Session({"user.id": 1}, "1234", False),
    )

    resp = logout(app, request)

    assert resp.status_code == 303
    assert resp.headers["Location"] == location
    assert resp.headers.getlist("Set-Cookie") == [
        "username=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/",
    ]
    assert request._session.deleted
    def test_existing_session(self):
        def fn(self, view, app, request, *args, **kwargs):
            return view(app, request, *args, **kwargs)

        def view(app, request):
            request._session["wat"] = "ok"
            return Response()

        app = pretend.stub(session_store=FakeSessionStore())
        request = pretend.stub(cookies={"session_id": "abcd"}, is_secure=False)

        response = handle_session(fn)(pretend.stub(), view, app, request)

        assert app.session_store.saved == [
            Session({"wat": "ok"}, "abcd", False),
        ]
        assert response.headers.getlist("Set-Cookie") == [
            "session_id=abcd; HttpOnly; Path=/",
        ]
    def test_delete_session(self):
        def fn(self, view, app, request, *args, **kwargs):
            return view(app, request, *args, **kwargs)

        def view(app, request):
            request._session.delete()
            return Response()

        app = pretend.stub(session_store=FakeSessionStore())
        request = pretend.stub(cookies={"session_id": "abcd"}, is_secure=False)

        response = handle_session(fn)(pretend.stub(), view, app, request)

        assert app.session_store.deleted == [
            Session({}, "abcd", False),
        ]
        assert response.headers.getlist("Set-Cookie") == [
            "session_id=; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; "
            "Path=/",
        ]
Exemple #19
0
    def test_valid_session(self, monkeypatch):
        add_vary_cb = pretend.call_recorder(lambda fn: fn)
        add_vary = pretend.call_recorder(lambda vary: add_vary_cb)
        monkeypatch.setattr(warehouse.sessions, "add_vary", add_vary)

        context = pretend.stub()
        request = pretend.stub(session=Session())
        response = pretend.stub()

        @pretend.call_recorder
        def view(context, request):
            assert isinstance(request.session, Session)
            return response

        info = pretend.stub(options={"uses_session": True})
        derived_view = session_view(view, info)

        assert derived_view(context, request) is response
        assert view.calls == [pretend.call(context, request)]
        assert add_vary.calls == [pretend.call("Cookie")]
        assert add_vary_cb.calls == [pretend.call(view)]
Exemple #20
0
    def test_non_session_view(self, monkeypatch):
        class FakeMapper:
            def __call__(self, view):
                return view

        mapper = session_mapper_factory(FakeMapper)()

        context = pretend.stub()
        request = pretend.stub(session=Session())

        session = request.session

        @pretend.call_recorder
        def view(context, request):
            assert request.session is not session
            assert isinstance(request.session, InvalidSession)

        wrapped = mapper(view)
        wrapped(context, request)

        assert view.calls == [pretend.call(context, request)]
        assert isinstance(request.session, InvalidSession)
Exemple #21
0
def test_user_login_post_valid(app, form, values, session, location):
    app.db = pretend.stub(accounts=pretend.stub(
        get_user_id=lambda username: 9001,
        user_authenticate=lambda user, password: True,
    ), )

    request = pretend.stub(
        method="POST",
        form=MultiDict(form),
        host="example.com",
        values=values,
        url_adapter=pretend.stub(build=lambda *a, **kw: "/",
                                 ),
        _session=Session(session, "1234", False),
    )

    resp = login(app, request)

    assert request.session["user.id"] == 9001
    assert resp.status_code == 303
    assert resp.headers["Location"] == location
    assert resp.headers.getlist("Set-Cookie") == ["username=test; Path=/"]
Exemple #22
0
    def test_invalidate(self, monkeypatch):
        session_ids = iter(["123456", "7890"])
        monkeypatch.setattr(crypto, "random_token", lambda: next(session_ids))
        session = Session({"foo": "bar"}, "original id", False)

        assert session == {"foo": "bar"}
        assert session.sid == "original id"
        assert not session.new
        assert not session.invalidated

        session.invalidate()

        assert session == {}
        assert session.sid == "123456"
        assert session.new
        assert session.invalidated == {"original id"}

        session.invalidate()

        assert session == {}
        assert session.sid == "7890"
        assert session.new
        assert session.invalidated == {"original id", "123456"}
Exemple #23
0
    def test_flash_messages(self):
        session = Session()

        assert session.peek_flash() == []
        assert session.peek_flash(queue="foo") == []
        assert session.pop_flash() == []
        assert session.pop_flash(queue="foo") == []

        session.flash("A Flash Message")
        assert session.peek_flash() == ["A Flash Message"]
        assert session.peek_flash(queue="foo") == []

        session.flash("Another Flash Message", queue="foo")
        assert session.peek_flash() == ["A Flash Message"]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        session.flash("A Flash Message")
        assert session.peek_flash() == ["A Flash Message", "A Flash Message"]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        session.flash("A Flash Message", allow_duplicate=True)
        assert session.peek_flash() == [
            "A Flash Message",
            "A Flash Message",
            "A Flash Message",
        ]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        session.flash("A Flash Message", allow_duplicate=False)
        assert session.peek_flash() == [
            "A Flash Message",
            "A Flash Message",
            "A Flash Message",
        ]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        assert session.pop_flash() == [
            "A Flash Message",
            "A Flash Message",
            "A Flash Message",
        ]
        assert session.pop_flash(queue="foo") == ["Another Flash Message"]

        assert session.peek_flash() == []
        assert session.peek_flash(queue="foo") == []
        assert session.pop_flash() == []
        assert session.pop_flash(queue="foo") == []
Exemple #24
0
 def test_generate_flash_key(self, queue, expected):
     session = Session()
     assert session._get_flash_queue_key(queue) == expected
Exemple #25
0
 def test_methods_call_changed(self, data, method, args):
     session = Session(data)
     session.changed = pretend.call_recorder(lambda: None)
     getattr(session, method)(*args)
     assert session.changed.calls == [pretend.call()]
Exemple #26
0
 def test_should_save(self):
     session = Session()
     assert not session.should_save()
     session.changed()
     assert session.should_save()
 def test_password_outdated(self, stored, current, expected):
     session = Session()
     session.record_password_timestamp(stored)
     assert session.password_outdated(current) == expected
Exemple #28
0
 def test_changed_marks_as_changed(self):
     session = Session()
     assert not session._changed
     session.changed()
     assert session._changed
    def test_clear_webauthn_challenge(self):
        session = Session()
        session[session._webauthn_challenge_key] = "not_a_real_challenge"

        session.clear_webauthn_challenge()
        assert not session[session._webauthn_challenge_key]
Exemple #30
0
    def test_get_csrf_token_empty(self):
        session = Session()
        session.new_csrf_token = pretend.call_recorder(lambda: "123456")

        assert session.get_csrf_token() == "123456"
        assert session.new_csrf_token.calls == [pretend.call()]
Exemple #31
0
 def test_cycle(self):
     session = Session({}, "123456", False)
     assert not session.cycled
     session.cycle()
     assert session.cycled
Exemple #32
0
    def test_flash_messages(self):
        session = Session()

        assert session.peek_flash() == []
        assert session.peek_flash(queue="foo") == []
        assert session.pop_flash() == []
        assert session.pop_flash(queue="foo") == []

        session.flash("A Flash Message")
        assert session.peek_flash() == ["A Flash Message"]
        assert session.peek_flash(queue="foo") == []

        session.flash("Another Flash Message", queue="foo")
        assert session.peek_flash() == ["A Flash Message"]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        session.flash("A Flash Message")
        assert session.peek_flash() == ["A Flash Message", "A Flash Message"]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        session.flash("A Flash Message", allow_duplicate=True)
        assert session.peek_flash() == [
            "A Flash Message",
            "A Flash Message",
            "A Flash Message",
        ]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        session.flash("A Flash Message", allow_duplicate=False)
        assert session.peek_flash() == [
            "A Flash Message",
            "A Flash Message",
            "A Flash Message",
        ]
        assert session.peek_flash(queue="foo") == ["Another Flash Message"]

        assert session.pop_flash() == [
            "A Flash Message",
            "A Flash Message",
            "A Flash Message",
        ]
        assert session.pop_flash(queue="foo") == ["Another Flash Message"]

        assert session.peek_flash() == []
        assert session.peek_flash(queue="foo") == []
        assert session.pop_flash() == []
        assert session.pop_flash(queue="foo") == []
Exemple #33
0
 def test_generate_flash_key(self, queue, expected):
     session = Session()
     assert session._get_flash_queue_key(queue) == expected
Exemple #34
0
 def test_methods_call_changed(self, data, method, args):
     session = Session(data)
     session.changed = pretend.call_recorder(lambda: None)
     getattr(session, method)(*args)
     assert session.changed.calls == [pretend.call()]
Exemple #35
0
 def test_should_save(self):
     session = Session()
     assert not session.should_save()
     session.changed()
     assert session.should_save()
Exemple #36
0
    def test_get_csrf_token_empty(self):
        session = Session()
        session.new_csrf_token = pretend.call_recorder(lambda: "123456")

        assert session.get_csrf_token() == "123456"
        assert session.new_csrf_token.calls == [pretend.call()]
Exemple #37
0
    def test_get_totp_secret(self, monkeypatch):
        session = Session()
        session[session._totp_secret_key] = b"foobar"

        assert session.get_totp_secret() == b"foobar"
Exemple #38
0
 def test_changed_marks_as_changed(self):
     session = Session()
     assert not session._changed
     session.changed()
     assert session._changed
Exemple #39
0
    def test_clear_totp_secret(self):
        session = Session()
        session[session._totp_secret_key] = b"foobar"

        session.clear_totp_secret()
        assert not session[session._totp_secret_key]
Exemple #40
0
 def test_invalidate_empty(self):
     session = Session({"foo": "bar"})
     session.invalidate()
     assert session == {}
     assert session.invalidated == set()
Exemple #41
0
 def test_invalidate_empty(self):
     session = Session({"foo": "bar"})
     session.invalidate()
     assert session == {}
     assert session.invalidated == set()
Exemple #42
0
 def test_delete(self):
     session = Session({}, "123456", False)
     assert not session.deleted
     session.delete()
     assert session.deleted