def test_register_with_same_deviceid_twice_fails(): unauthed_user = ScreenshotsClient() resp = unauthed_user.session.post( urljoin(unauthed_user.backend, "/api/register"), data=dict(deviceId=unauthed_user.deviceId, secret=unauthed_user.secret, deviceInfo=json.dumps(unauthed_user.deviceInfo))) print resp.text assert resp.status_code == 200 # registering twice as same user should fail resp = unauthed_user.session.post( urljoin(unauthed_user.backend, "/api/register"), data=dict(deviceId=unauthed_user.deviceId, secret=unauthed_user.secret, deviceInfo=json.dumps(unauthed_user.deviceInfo))) print resp.text assert resp.status_code == 401 # user exists unauthed_user.delete_account() # registering as second user should fail second_unauthed_user = ScreenshotsClient() resp = second_unauthed_user.session.post( urljoin(second_unauthed_user.backend, "/api/register"), data=dict(deviceId=unauthed_user.deviceId, secret=second_unauthed_user.secret, deviceInfo=json.dumps(second_unauthed_user.deviceInfo))) print resp.text assert resp.status_code == 401 # user exists
def test_my_shots_page(): with screenshots_session() as user: user.read_my_shots() # e.g. direct navigation to /shots in private window unauthed_user = ScreenshotsClient() response = unauthed_user.get_uri("/shots") response.raise_for_status()
def test_register_without_deviceinfo_ok(): unauthed_user = ScreenshotsClient() resp = unauthed_user.session.post( urljoin(unauthed_user.backend, "/api/register"), data=dict(deviceId=unauthed_user.deviceId, secret=unauthed_user.secret)) print resp.text assert resp.status_code == 200 unauthed_user.delete_account()
def test_set_login_cookie(): sess1 = ScreenshotsClient() login_resp = sess1.login() headers = {'x-screenshots-auth': login_resp.json()['authHeader']} assert sess1.session.cookies['user'] and sess1.session.cookies['user.sig'] sess2 = ScreenshotsClient() # Trying to login without any authentication won't work: resp = sess2.session.post(sess2.backend + "/api/set-login-cookie") assert resp.status_code == 401 assert not sess2.session.cookies.get('user') resp = sess2.session.post(sess2.backend + "/api/set-login-cookie", headers=headers) assert resp.status_code == 200 assert sess2.session.cookies['user'] and sess2.session.cookies['user.sig']
def test_owned_shot_ui_with_fxa_auth(): setup_session = setup_shot_on_device() shot_url = setup_session['shot_url'] browser_only_user = ScreenshotsBase() # Use setup user accountId to login to a browser only session result = browser_only_user.login(setup_session['user'].accountId) assert setup_session['user'].deviceId == result[ 'deviceid'], "Associated deviceId should match" unauth_user = ScreenshotsClient() copy_element = r'<img src="/static/img/icon-copy.svg[^"]*' copy_match = match_shot_ui_element(browser_only_user, shot_url, copy_element) assert copy_match, "Copy button is visible" copy_match = match_shot_ui_element(unauth_user, shot_url, copy_element) assert copy_match is None, "Copy button is not visible" edit_element = r'<img src="/static/img/icon-pen.svg[^"]*' edit_match = match_shot_ui_element(browser_only_user, shot_url, edit_element) assert edit_match, "Edit button is visible" edit_match = match_shot_ui_element(unauth_user, shot_url, edit_element) assert edit_match is None, "Edit button is not visible" setup_session['user'].delete_account()
def test_update(): user = ScreenshotsClient() user.login() shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0) shot_page = user.read_shot(shot_url) assert "A_TEST_SITE_1" in shot_page["page"] shot_id = urlparse.urlsplit(shot_url).path.strip("/") user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2", image_index=1) later_shot_page = user.read_shot(shot_url) assert "A_TEST_SITE_2" in later_shot_page["page"] assert later_shot_page["clip_content"] assert later_shot_page["clip_content"] != shot_page["clip_content"] assert later_shot_page["clip_url"] != shot_page["clip_url"]
def test_leave_screenshots_clears_csrf_cookie(): user = ScreenshotsClient() user.login() leave_resp = user.session.get(user.backend + "/leave-screenshots/") assert leave_resp.status_code == 200 assert_httponly_csrf_cookie(user.session) page = leave_resp.text csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page) csrf = csrf_match.group(1) first_csrf_cookie = user.session.cookies.get('_csrf') resp = user.session.post(urljoin(user.backend, "/leave-screenshots/leave"), json={"_csrf": csrf}) assert resp.status_code == 200 assert first_csrf_cookie != user.session.cookies.get('_csrf')
def test_register_without_secret_fails(): unauthed_user = ScreenshotsClient() resp = unauthed_user.session.post( urljoin(unauthed_user.backend, "/api/register"), data=dict(deviceId=unauthed_user.deviceId, deviceInfo=json.dumps(unauthed_user.deviceInfo))) print resp.text assert resp.status_code == 400
def test_register_without_deviceid_fails(): unauthed_user = ScreenshotsClient() resp = unauthed_user.session.post( urljoin(unauthed_user.backend, "/api/register"), data=dict(deviceId='', secret=unauthed_user.secret, deviceInfo=json.dumps(unauthed_user.deviceInfo))) assert resp.status_code == 400, "register without device id worked"
def test_put_large_image(): user = ScreenshotsClient() user.login() try: try: user.create_shot(pad_image_to_length=100 * 1000 * 1000) except HTTPError, e: if e.response.status_code != 413: raise finally: user.delete_account()
def test_bad_id(): user = ScreenshotsClient() user.login() try: try: user.create_shot(shot_id="!!!/test.com") except HTTPError, e: if e.response.status_code != 400: raise finally: user.delete_account()
def test_leave_screenshots_clears_csrf_cookie(): user = ScreenshotsClient() user.login() leave_resp = user.session.get(user.backend + "/leave-screenshots/") assert leave_resp.status_code == 200 assert_httponly_csrf_cookie(user.session) page = leave_resp.text csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page) csrf = csrf_match.group(1) first_csrf_cookie = user.session.cookies.get('_csrf') resp = user.session.post( urljoin(user.backend, "/leave-screenshots/leave"), json={"_csrf": csrf}) assert resp.status_code == 200 assert first_csrf_cookie != user.session.cookies.get('_csrf')
def test_login_with_invalid_headers(): # might belong in test_auth.py instead unauthed_user = ScreenshotsClient() resp = unauthed_user.session.post( urljoin(unauthed_user.backend, "/api/login"), headers=dict(origin="https://localhost:8080"), data=dict(secret=unauthed_user.secret, deviceInfo=json.dumps(unauthed_user.deviceInfo))) print resp.text assert resp.status_code == 403 # Invalid CSRF Headers
def test_register_with_invalid_headers(): # might belong in test_auth.py instead unauthed_user = ScreenshotsClient() resp = unauthed_user.session.post( urljoin(unauthed_user.backend, "/api/register"), headers=dict(referer="https://localhost:8080/1Zv4srJfp50f5LaJ/localhost"), data=dict(deviceId=unauthed_user.deviceId, secret=unauthed_user.secret, deviceInfo=json.dumps(unauthed_user.deviceInfo))) print resp.text assert resp.status_code == 403 # Invalid CSRF Headers
def test_creating_page(): with screenshots_session() as user: shot_url = user.create_shot(docTitle="A_TEST_SITE_1", image_index=0) shot_id = urlparse.urlsplit(shot_url).path.strip("/") resp = user.get_uri("/creating/" + shot_id) assert resp.status_code == 200 unauthed_user = ScreenshotsClient() resp = requests.get(urljoin(unauthed_user.backend, "/creating/") + shot_id) assert resp.status_code == 200
def test_scopes(): user = ScreenshotsClient() user.login() abtests = user.session.cookies["abtests"] abtests_sig = user.session.cookies["abtests.sig"] print(abtests, abtests_sig) shot = user.create_shot(docTitle="A_TEST_SITE") page = user.read_shot(shot) download_url = page["download_url"] resp = user.session.get(download_url) assert resp.headers.get("Content-Disposition") mixed_up = "%s?download=%s&sig=%s" % ( download_url.split("?")[0], urllib.quote(abtests), urllib.quote(abtests_sig), ) resp = user.session.get(mixed_up) assert not resp.headers.get("Content-Disposition")
def test_download_key(): user = ScreenshotsClient() user.login() shot_1_url = user.create_shot(docTitle="A_TEST_SITE_1") shot_2_url = user.create_shot(docTitle="A_TEST_SITE_2") shot_1_page = user.read_shot(shot_1_url) shot_2_page = user.read_shot(shot_2_url) shot_1_download_url = shot_1_page["download_url"] shot_2_download_url = shot_2_page["download_url"] resp = user.session.get(shot_1_download_url) # This should normally work: print("Normal download URL:", shot_1_download_url) assert resp.headers["Content-Disposition"], "Should get a proper download response" mixed_up = shot_1_download_url.split("?")[0] + "?" + shot_2_download_url.split("?")[1] # Getting mixed_up should fail, since the signed download parameter comes from shot_2 # but we're fetching the image from shot_1 resp = user.session.get(mixed_up) print("Mixed-up URL:", mixed_up) print("Response:", resp) print("Content-Disposition header:", resp.headers.get("Content-Disposition")) assert not resp.headers.get("Content-Disposition"), "The signature shouldn't work"
def test_dunder_version(): unauthed_user = ScreenshotsClient() response = unauthed_user.get_uri("/__version__") response.raise_for_status()
def test_contribute_json(): unauthed_user = ScreenshotsClient() response = unauthed_user.get_uri("/contribute.json") if response.status_code != 200: response.raise_for_status()
def setup_shot_on_device(): user = ScreenshotsClient(hasAccount=True) user.login() shot_url = user.create_shot(docTitle="A_TEST_SITE_1") return {'user': user, 'shot_url': shot_url}
def test_put_auth(): first_user = ScreenshotsClient() second_user = ScreenshotsClient() first_user.login() second_user.login() shot_url = first_user.create_shot(docTitle="A_TEST_SITE_1") shot_id = urlparse.urlsplit(shot_url).path.strip("/") shot_page = first_user.read_shot(shot_url) print(first_user.read_shot(shot_url)["clip_url"], shot_page["clip_url"]) assert first_user.read_shot(shot_url)["clip_content"] == shot_page["clip_content"] assert "A_TEST_SITE_1" in shot_page["page"] try: second_user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2") except requests.HTTPError as e: if e.response.status_code != 403: raise else: assert False, "Second attempt to upload should have failed" second_shot_page = first_user.read_shot(shot_url) assert "A_TEST_SITE_1" in second_shot_page["page"] assert "A_TEST_SITE_2" not in second_shot_page["page"] assert shot_page["clip_url"] == second_shot_page["clip_url"] assert shot_page["clip_content"] == second_shot_page["clip_content"]
def setup_shot_on_device(): user = ScreenshotsClient() user.login() shot_url = user.create_shot(docTitle="A_TEST_SITE_1") return {'user': user, 'shot_url': shot_url}
def test_404_page(): unauthed_user = ScreenshotsClient() response = unauthed_user.get_uri("/404") if response.status_code != 404: response.raise_for_status()
def test_put_auth(): first_user = ScreenshotsClient() second_user = ScreenshotsClient() first_user.login() second_user.login() shot_url = first_user.create_shot(docTitle="A_TEST_SITE_1") shot_id = urlparse.urlsplit(shot_url).path.strip("/") shot_page = first_user.read_shot(shot_url) print(first_user.read_shot(shot_url)["clip_url"], shot_page["clip_url"]) assert first_user.read_shot( shot_url)["clip_content"] == shot_page["clip_content"] assert "A_TEST_SITE_1" in shot_page["page"] try: second_user.create_shot(shot_id=shot_id, docTitle="A_TEST_SITE_2") except requests.HTTPError as e: if e.response.status_code != 403: raise else: assert False, "Second attempt to upload should have failed" second_shot_page = first_user.read_shot(shot_url) assert "A_TEST_SITE_1" in second_shot_page["page"] assert "A_TEST_SITE_2" not in second_shot_page["page"] assert shot_page["clip_url"] == second_shot_page["clip_url"] assert shot_page["clip_content"] == second_shot_page["clip_content"]
def test_heartbeat(): unauthed_user = ScreenshotsClient() response = unauthed_user.get_uri("/__heartbeat__") response.raise_for_status()
def test_landing_page(): unauthed_user = ScreenshotsClient() resp = unauthed_user.get_uri("/") assert resp.status_code == 200
def test_metrics_page(): unauthed_user = ScreenshotsClient() resp = requests.get(urljoin(unauthed_user.backend, "/metrics")) assert resp.status_code == 200
def test_settings_page_requires_auth(): user = ScreenshotsClient() resp = requests.get(urljoin(user.backend, "/settings")) assert resp.url == user.backend + "/"