def testXsrf(self):
timestamp1 = 1329858903.8305809
timestamp2 = 1329859175.3705659
token1 = 'fZDmmR1yZzyjL9cyX0Zl7XwjfDEzMjk4NTg5MDMuODM='.decode('utf-8')
token2 = util.XsrfTokenGenerate(
'action', user='******', timestamp=timestamp1).decode('utf-8')
token3 = util.XsrfTokenGenerate('action', user='******').decode('utf-8')
token4 = util.XsrfTokenGenerate('action', user='******').decode('utf-8')
self.assertEquals(token1, token2)
self.assertNotEquals(token1, token3)
self.assertNotEquals(token3, token4)
class MockTime1(object):
def time(self): # pylint: disable=g-bad-name
return timestamp1
class MockTime2(object):
def time(self): # pylint: disable=g-bad-name
return timestamp1 + 999
self.assertTrue(util.XsrfTokenValidate(
token1, 'action', user='******', time_=MockTime1()))
self.assertFalse(util.XsrfTokenValidate(
token1, 'action', user='******', time_=MockTime2()))
self.assertTrue(util.XsrfTokenValidate(
token1, 'action', user='******', timestamp=timestamp1, time_=MockTime1()))
self.assertFalse(util.XsrfTokenValidate(
token1, 'action', user='******', timestamp=timestamp2, time_=MockTime1()))
def testPutWithInvalidXsrfToken(self):
self.mox.StubOutWithMock(self.c, 'VerifyPermissions')
self.mox.StubOutWithMock(util, 'XsrfTokenValidate')
self.c.VerifyPermissions(permissions.ESCROW).AndReturn(None)
self.c.request.get('xsrf-token', None).AndReturn('badtoken')
util.XsrfTokenValidate('badtoken', 'UploadPassphrase').AndReturn(False)
self.mox.ReplayAll()
self.assertRaises(luks.models.AccessDeniedError, self.c.put,
'vol_uuid')
self.mox.VerifyAll()
def get(self, action=None):
"""Handles GET requests."""
if settings.XSRF_PROTECTION_ENABLED:
xsrf_token = self.request.get('xsrf-token', None)
if not util.XsrfTokenValidate(xsrf_token,
base_settings.MAINTENANCE_ACTION):
self.error(httplib.FORBIDDEN)
return
if not users.is_current_user_admin():
self.error(httplib.FORBIDDEN)
return
deferred.defer(_UpdateSchema, models.LuksVolume)
deferred.defer(_UpdateSchema, models.FileVaultVolume)
deferred.defer(_UpdateSchema, models.BitLockerVolume)
deferred.defer(_UpdateSchema, models.DuplicityKeyPair)
self.response.out.write('Schema migration successfully initiated.')
def VerifyXsrfToken(self, action):
"""Verifies a valid XSRF token was passed for the current request.
Args:
action: String, validate the token against this action.
Returns:
Boolean. True if the XSRF Token was valid.
Raises:
base.AccessDeniedError: the XSRF token was invalid or not supplied.
"""
xsrf_token = self.request.get('xsrf-token', None)
if settings.XSRF_PROTECTION_ENABLED:
if not util.XsrfTokenValidate(xsrf_token, action):
raise base.AccessDeniedError('Valid XSRF token not provided')
elif not xsrf_token:
logging.info(
'Ignoring missing XSRF token; settings.XSRF_PROTECTION_ENABLED=False')
return True
def testPutUnknown(self):
self.mox.StubOutWithMock(self.c, 'VerifyPermissions')
self.mox.StubOutWithMock(luks.models.LuksAccessLog, 'Log')
self.mox.StubOutWithMock(util, 'XsrfTokenValidate')
self.c.VerifyPermissions(permissions.ESCROW).AndReturn(None)
self.c.request.get('xsrf-token', None).AndReturn('token')
util.XsrfTokenValidate('token', 'UploadPassphrase').AndReturn(True)
volume_uuid = 'foovolumeuuid'
passphrase = ''
self.c.request.body = passphrase
luks.models.LuksAccessLog.Log(message='Unknown PUT',
request=self.c.request)
self.c.error(400).AndReturn(None)
self.mox.ReplayAll()
self.c.put(volume_uuid=volume_uuid)
self.mox.VerifyAll()