def test_process_response_sudo_revoked_without_cookie(self):
self.login()
self.middleware.process_request(self.request)
grant_sudo_privileges(self.request)
revoke_sudo_privileges(self.request)
response = self.middleware.process_response(self.request, HttpResponse())
morsels = response.cookies.items()
self.assertEqual(len(morsels), 0)
def test_process_response_sets_secure_cookie(self):
self.login()
self.request.is_secure = lambda: True
self.middleware.process_request(self.request)
grant_sudo_privileges(self.request)
response = self.middleware.process_response(self.request, HttpResponse())
morsels = response.cookies.items()
self.assertEqual(len(morsels), 1)
self.assertEqual(morsels[0][0], COOKIE_NAME)
_, sudo = morsels[0]
self.assertTrue(self.request.is_secure())
self.assertTrue(sudo['secure'])
def login_as(self, user):
user.backend = settings.AUTHENTICATION_BACKENDS[0]
engine = import_module(settings.SESSION_ENGINE)
request = HttpRequest()
if self.client.session:
request.session = self.client.session
else:
request.session = engine.SessionStore()
login(request, user)
request.user = user
sudo_token = grant_sudo_privileges(request)
# Save the session values.
request.session.save()
# Set the cookie to represent the session.
session_cookie = settings.SESSION_COOKIE_NAME
self.client.cookies[session_cookie] = request.session.session_key
cookie_data = {
"max-age": None,
"path": "/",
"domain": settings.SESSION_COOKIE_DOMAIN,
"secure": settings.SESSION_COOKIE_SECURE or None,
"expires": None,
}
self.client.cookies[session_cookie].update(cookie_data)
self.client.cookies[SUDO_COOKIE_NAME] = sudo_token
def login_as(self, user):
user.backend = settings.AUTHENTICATION_BACKENDS[0]
engine = import_module(settings.SESSION_ENGINE)
request = HttpRequest()
if self.client.session:
request.session = self.client.session
else:
request.session = engine.SessionStore()
login(request, user)
request.user = user
sudo_token = grant_sudo_privileges(request)
# Save the session values.
request.session.save()
# Set the cookie to represent the session.
session_cookie = settings.SESSION_COOKIE_NAME
self.client.cookies[session_cookie] = request.session.session_key
cookie_data = {
'max-age': None,
'path': '/',
'domain': settings.SESSION_COOKIE_DOMAIN,
'secure': settings.SESSION_COOKIE_SECURE or None,
'expires': None,
}
self.client.cookies[session_cookie].update(cookie_data)
self.client.cookies[SUDO_COOKIE_NAME] = sudo_token
def test_process_response_sudo_revoked_removes_cookie(self):
self.login()
self.middleware.process_request(self.request)
grant_sudo_privileges(self.request)
self.request.COOKIES[COOKIE_NAME] = self.request._sudo_token
revoke_sudo_privileges(self.request)
response = self.middleware.process_response(self.request, HttpResponse())
morsels = response.cookies.items()
self.assertEqual(len(morsels), 1)
self.assertEqual(morsels[0][0], COOKIE_NAME)
_, sudo = morsels[0]
# Deleting a cookie is just setting it's value to empty
# and telling it to expire
self.assertEqual(sudo.key, COOKIE_NAME)
self.assertFalse(sudo.value)
self.assertEqual(sudo['max-age'], 0)
def test_process_response_with_sudo_sets_cookie(self):
self.login()
self.middleware.process_request(self.request)
grant_sudo_privileges(self.request)
response = self.middleware.process_response(self.request, HttpResponse())
morsels = response.cookies.items()
self.assertEqual(len(morsels), 1)
self.assertEqual(morsels[0][0], COOKIE_NAME)
_, sudo = morsels[0]
self.assertEqual(sudo.key, COOKIE_NAME)
self.assertEqual(sudo.value, self.request._sudo_token)
self.assertEqual(sudo['max-age'], self.request._sudo_max_age)
self.assertTrue(sudo['httponly'])
# Asserting that these are insecure together explicitly
# since it's a big deal to not f**k up
self.assertFalse(self.request.is_secure())
self.assertFalse(sudo['secure']) # insecure request
def sudo(request, template_name="sudo.html", extra_context=None):
redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, REDIRECT_URL)
# Make sure we're not redirecting to other sites
if not is_safe_url(url=redirect_to, host=request.get_host()):
redirect_to = resolve_url(REDIRECT_URL)
if request.is_sudo():
return HttpResponseRedirect(redirect_to)
form = SudoForm(request.user, request.POST or None)
if request.method == "POST":
if form.is_valid():
grant_sudo_privileges(request)
return HttpResponseRedirect(redirect_to)
context = {"form": form, REDIRECT_FIELD_NAME: redirect_to}
if extra_context is not None:
context.update(extra_context)
return TemplateResponse(request, template_name, context)
def test_revoked(self):
self.login()
grant_sudo_privileges(self.request)
revoke_sudo_privileges(self.request)
self.assertFalse(has_sudo_privileges(self.request))
def test_granted(self):
self.login()
grant_sudo_privileges(self.request)
self.assertTrue(has_sudo_privileges(self.request))
def test_revoke_sudo_privileges(self):
self.login()
grant_sudo_privileges(self.request)
revoke_sudo_privileges(self.request)
self.assertRequestNotSudo(self.request)
def test_without_user(self):
delattr(self.request, 'user')
token = grant_sudo_privileges(self.request)
self.assertIsNone(token)
def test_grant_token_explicit_max_age(self):
self.login()
token = grant_sudo_privileges(self.request, 60)
self.assertIsNotNone(token)
self.assertRequestHasToken(self.request, 60)
def test_grant_token_default_max_age(self):
self.login()
token = grant_sudo_privileges(self.request)
self.assertIsNotNone(token)
self.assertRequestHasToken(self.request, COOKIE_AGE)
def test_grant_token_not_logged_in(self):
with self.assertRaises(ValueError):
grant_sudo_privileges(self.request)
def test_user_logged_out(self):
self.login()
grant_sudo_privileges(self.request)
self.assertTrue(has_sudo_privileges(self.request))
user_logged_out.send_robust(sender=User, request=self.request)
self.assertFalse(has_sudo_privileges(self.request))
def grant(sender, request, **kwargs):
grant_sudo_privileges(request)
