def test_replay_attack_for_mobile_heartbeat_attempt(self):
get_redis_client().clear()
redis_client = get_redis_client()
with override_settings(OBFUSCATE_PASSWORD_FOR_NIC_COMPLIANCE=True):
obfuscated_password = "******"
client = Client(enforce_csrf_checks=False)
auth_headers = {
'HTTP_AUTHORIZATION':
'Basic ' + base64.b64encode(
('%s:%s' % (self.username, obfuscated_password)
).encode('utf-8')).decode('utf-8'),
}
# ensure that login attempt gets stored
key_name = obfuscated_password_redis_key_for_user(
self.username, obfuscated_password)
self.assertFalse(redis_client.get(key_name))
response = client.get(
reverse('phone_heartbeat',
args=[self.domain.name, "bad_app_id"]), **auth_headers)
self.assertEqual(response.status_code, 404)
self.assertTrue(redis_client.get(key_name))
# test replay attack
response = client.get(
reverse('phone_heartbeat',
args=[self.domain.name, "bad_app_id"]), **auth_headers)
self.assertEqual(response.status_code, 401)
redis_client.expire(key_name, 0)
def test_replay_attack_for_web_login_attempt(self):
get_redis_client().clear()
redis_client = get_redis_client()
with override_settings(OBFUSCATE_PASSWORD_FOR_NIC_COMPLIANCE=True):
obfuscated_password = "******"
client = Client(enforce_csrf_checks=False)
form_data = {
'auth-username': self.username,
'auth-password': obfuscated_password,
'hq_login_view-current_step': 'auth'
}
# ensure that login attempt gets stored
key_name = obfuscated_password_redis_key_for_user(
self.username, obfuscated_password)
self.assertFalse(redis_client.get(key_name))
response = client.post(reverse('login'), form_data, follow=True)
self.assertRedirects(response, '/a/delhi/dashboard/project/')
self.assertTrue(redis_client.get(key_name))
client.get(reverse('logout'))
# test replay attack
response = client.post(reverse('login'), form_data, follow=True)
self.assertContains(response, "Please enter a password")
self.assertEqual(response.status_code, 200)
self.assertEqual(response.request['PATH_INFO'], '/accounts/login/')
redis_client.expire(key_name, 0)
