def test_replay_attack_for_mobile_heartbeat_attempt(self): get_redis_client().clear() redis_client = get_redis_client() with override_settings(OBFUSCATE_PASSWORD_FOR_NIC_COMPLIANCE=True): obfuscated_password = "******" client = Client(enforce_csrf_checks=False) auth_headers = { 'HTTP_AUTHORIZATION': 'Basic ' + base64.b64encode( ('%s:%s' % (self.username, obfuscated_password) ).encode('utf-8')).decode('utf-8'), } # ensure that login attempt gets stored key_name = obfuscated_password_redis_key_for_user( self.username, obfuscated_password) self.assertFalse(redis_client.get(key_name)) response = client.get( reverse('phone_heartbeat', args=[self.domain.name, "bad_app_id"]), **auth_headers) self.assertEqual(response.status_code, 404) self.assertTrue(redis_client.get(key_name)) # test replay attack response = client.get( reverse('phone_heartbeat', args=[self.domain.name, "bad_app_id"]), **auth_headers) self.assertEqual(response.status_code, 401) redis_client.expire(key_name, 0)
def test_replay_attack_for_web_login_attempt(self): get_redis_client().clear() redis_client = get_redis_client() with override_settings(OBFUSCATE_PASSWORD_FOR_NIC_COMPLIANCE=True): obfuscated_password = "******" client = Client(enforce_csrf_checks=False) form_data = { 'auth-username': self.username, 'auth-password': obfuscated_password, 'hq_login_view-current_step': 'auth' } # ensure that login attempt gets stored key_name = obfuscated_password_redis_key_for_user( self.username, obfuscated_password) self.assertFalse(redis_client.get(key_name)) response = client.post(reverse('login'), form_data, follow=True) self.assertRedirects(response, '/a/delhi/dashboard/project/') self.assertTrue(redis_client.get(key_name)) client.get(reverse('logout')) # test replay attack response = client.post(reverse('login'), form_data, follow=True) self.assertContains(response, "Please enter a password") self.assertEqual(response.status_code, 200) self.assertEqual(response.request['PATH_INFO'], '/accounts/login/') redis_client.expire(key_name, 0)