def unsign_subdomain_cookie(result):
# type: (HttpResponse) -> Dict[str, Any]
key = 'subdomain.signature'
salt = key + 'zerver.views.auth'
cookie = result.cookies.get(key)
value = signing.get_cookie_signer(salt=salt).unsign(cookie.value, max_age=15)
return ujson.loads(value)
def test_reset_cookie(self):
from django.core.signing import SignatureExpired
request = get_request()
storage = self.get_storage()('wizard1', request, None)
storage.data = {'key1': 'value1'}
response = HttpResponse()
storage.update_response(response)
cookie_signer = signing.get_cookie_signer(storage.prefix)
signed_cookie_data = cookie_signer.sign(storage.encoder.encode(storage.data))
# signing with different timestamps generates different signatures
self.assertNotEqual(response.cookies[storage.prefix].value, signed_cookie_data)
self.assertEqual(cookie_signer.unsign(response.cookies[storage.prefix].value),
cookie_signer.unsign(signed_cookie_data))
self.assertRaises(SignatureExpired,
lambda: cookie_signer.unsign(value=response.cookies[storage.prefix].value, max_age=0))
self.assertEqual(cookie_signer.unsign(value=response.cookies[storage.prefix].value, max_age=10),
cookie_signer.unsign(signed_cookie_data))
storage.init_data()
storage.update_response(response)
unsigned_cookie_data = cookie_signer.unsign(response.cookies[storage.prefix].value)
self.assertEqual(unsigned_cookie_data, '{"step_files":{},"step":null,"extra_data":{},"step_data":{}}')
def setUp(self):
super(AnonymousMapViews, self).setUp()
self.anonymous_map = MapFactory(
name="an-anonymous-map",
owner=None,
)
key, value = self.anonymous_map.signed_cookie_elements
self.anonymous_cookie_key = key
self.anonymous_cookie_value = get_cookie_signer(salt=key).sign(value)
def test_login_with_incorrect_cookie_token(customer_user, client):
value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign('incorrect')
client.cookies[utils.COOKIE_NAME] = value
response = client.post(
reverse('account:login'),
{'username': customer_user.email, 'password': '******'}, follow=True)
assert response.context['user'] == customer_user
authenticated_user_carts = customer_user.carts.all()
assert authenticated_user_carts.count() == 0
def test_login_with_incorrect_cookie_token(customer_user, client):
value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign('incorrect')
client.cookies[utils.COOKIE_NAME] = value
response = client.post(
'/account/login',
{'login': customer_user.email, 'password': '******'})
assert response.context['user'] == customer_user
authenticated_user_carts = customer_user.carts.filter(
status=CartStatus.OPEN)
assert authenticated_user_carts.count() == 0
def test_login_with_incorrect_cookie_token(customer_user, client):
value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign("incorrect")
client.cookies[utils.COOKIE_NAME] = value
response = client.post(
reverse("account:login"),
{"username": customer_user.email, "password": "******"},
follow=True,
)
assert response.context["user"] == customer_user
authenticated_user_checkouts = customer_user.checkouts.all()
assert authenticated_user_checkouts.count() == 0
def test_manipulated_cookie(self):
request = get_request()
storage = self.get_storage()('wizard1', request, None)
cookie_signer = signing.get_cookie_signer(storage.prefix)
storage.request.COOKIES[storage.prefix] = cookie_signer.sign(
storage.encoder.encode({'key1': 'value1'}))
self.assertEqual(storage.load_data(), {'key1': 'value1'})
storage.request.COOKIES[storage.prefix] = 'i_am_manipulated'
self.assertIsNone(storage.load_data())
def test_find_and_assign_anonymous_cart(anonymous_cart, customer_user, client):
cart_token = anonymous_cart.token
# Anonymous user has a cart with token stored in cookie
value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign(cart_token)
client.cookies[utils.COOKIE_NAME] = value
# Anonymous logs in
response = client.post(
reverse('account:login'),
{'username': customer_user.email, 'password': '******'}, follow=True)
assert response.context['user'] == customer_user
# User should have only one cart, the same as he had previously in
# anonymous session
authenticated_user_carts = customer_user.carts.all()
assert authenticated_user_carts.count() == 1
assert authenticated_user_carts[0].token == cart_token
def test_reset_cookie(self):
request = get_request()
storage = self.get_storage()('wizard1', request, None)
storage.data = {'key1': 'value1'}
response = HttpResponse()
storage.update_response(response)
cookie_signer = signing.get_cookie_signer(storage.prefix)
signed_cookie_data = cookie_signer.sign(storage.encoder.encode(storage.data))
self.assertEqual(response.cookies[storage.prefix].value, signed_cookie_data)
storage.init_data()
storage.update_response(response)
unsigned_cookie_data = cookie_signer.unsign(response.cookies[storage.prefix].value)
self.assertEqual(unsigned_cookie_data, '{"step_files":{},"step":null,"extra_data":{},"step_data":{}}')
def test_find_and_assign_anonymous_cart(
opened_anonymous_cart, customer_user, client):
cart_token = opened_anonymous_cart.token
# Anonymous user has a cart with token stored in cookie
value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign(cart_token)
client.cookies[utils.COOKIE_NAME] = value
# Anonymous logs in
response = client.post(
'/account/login',
{'login': customer_user.email, 'password': '******'})
assert response.context['user'] == customer_user
# User should have only one cart, the same as he had previously in
# anonymous session
authenticated_user_carts = customer_user.carts.filter(
status=CartStatus.OPEN)
assert authenticated_user_carts.count() == 1
assert authenticated_user_carts[0].token == cart_token
def login_as(self, user, organization_id=None, organization_ids=None,
superuser=False, superuser_sso=True):
user.backend = settings.AUTHENTICATION_BACKENDS[0]
request = self.make_request()
login(request, user)
request.user = user
if organization_ids is None:
organization_ids = set()
else:
organization_ids = set(organization_ids)
if superuser and superuser_sso is not False:
if SU_ORG_ID:
organization_ids.add(SU_ORG_ID)
if organization_id:
organization_ids.add(organization_id)
# TODO(dcramer): ideally this would get abstracted
if organization_ids:
request.session[SSO_SESSION_KEY] = ','.join(
six.text_type(o) for o in organization_ids)
# logging in implicitly binds superuser, but for test cases we
# want that action to be explicit to avoid accidentally testing
# superuser-only code
if not superuser:
# XXX(dcramer): we're calling the internal method to avoid logging
request.superuser._set_logged_out()
elif request.user.is_superuser and superuser:
request.superuser.set_logged_in(request.user)
# XXX(dcramer): awful hack to ensure future attempts to instantiate
# the Superuser object are successful
self.save_cookie(
name=SU_COOKIE_NAME,
value=signing.get_cookie_signer(
salt=SU_COOKIE_NAME + SU_COOKIE_SALT,
).sign(request.superuser.token),
max_age=None,
path=SU_COOKIE_PATH,
domain=SU_COOKIE_DOMAIN,
secure=SU_COOKIE_SECURE or None,
expires=None,
)
# Save the session values.
self.save_session()
def test_find_and_assign_anonymous_checkout(anonymous_checkout, customer_user, client):
checkout_token = anonymous_checkout.token
# Anonymous user has a checkout with token stored in cookie
value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign(checkout_token)
client.cookies[utils.COOKIE_NAME] = value
# Anonymous logs in
response = client.post(
reverse("account:login"),
{"username": customer_user.email, "password": "******"},
follow=True,
)
assert response.context["user"] == customer_user
# User should have only one checkout, the same as he had previously in
# anonymous session
authenticated_user_checkouts = customer_user.checkouts.all()
assert authenticated_user_checkouts.count() == 1
assert authenticated_user_checkouts[0].token == checkout_token
def build_request(self, cookie_token=UNSET, session_token=UNSET,
expires=UNSET, idle_expires=UNSET, uid=UNSET,
session_data=True, user=None):
if user is None:
user = self.create_user('*****@*****.**', is_superuser=True)
current_datetime = self.current_datetime
request = self.make_request(user=user)
if cookie_token is not None:
request.COOKIES[COOKIE_NAME] = signing.get_cookie_signer(
salt=COOKIE_NAME + COOKIE_SALT,
).sign(self.default_token if cookie_token is UNSET else cookie_token)
if session_data:
request.session[SESSION_KEY] = {
'exp': (current_datetime + timedelta(hours=6) if expires is UNSET else expires).strftime('%s'),
'idl': (current_datetime + timedelta(minutes=15) if idle_expires is UNSET else idle_expires).strftime('%s'),
'tok': self.default_token if session_token is UNSET else session_token,
'uid': six.text_type(user.id) if uid is UNSET else uid,
}
return request
def get_signed_cookie(self, key, default=RAISE_ERROR, salt="", max_age=None):
"""
Attempts to return a signed cookie. If the signature fails or the
cookie has expired, raises an exception... unless you provide the
default argument in which case that value will be returned instead.
"""
try:
cookie_value = self.COOKIES[key]
except KeyError:
if default is not RAISE_ERROR:
return default
else:
raise
try:
value = signing.get_cookie_signer(salt=key + salt).unsign(cookie_value, max_age=max_age)
except signing.BadSignature:
if default is not RAISE_ERROR:
return default
else:
raise
return value
def get_signed_cookie(self, key, default=RAISE_ERROR, salt='', max_age=None):
"""
Attempt to return a signed cookie. If the signature fails or the
cookie has expired, raise an exception, unless the `default` argument
is provided, in which case return that value.
"""
try:
cookie_value = self.COOKIES[key]
except KeyError:
if default is not RAISE_ERROR:
return default
else:
raise
try:
value = signing.get_cookie_signer(salt=key + salt).unsign(
cookie_value, max_age=max_age)
except signing.BadSignature:
if default is not RAISE_ERROR:
return default
else:
raise
return value
def login_as(self, user, organization_id=None, superuser=False):
user.backend = settings.AUTHENTICATION_BACKENDS[0]
request = self.make_request()
login(request, user)
request.user = user
if organization_id:
request.session[SSO_SESSION_KEY] = six.text_type(organization_id)
# logging in implicitly binds superuser, but for test cases we
# want that action to be explicit to avoid accidentally testing
# superuser-only code
if not superuser:
# XXX(dcramer): we're calling the internal method to avoid logging
request.superuser._set_logged_out()
elif request.user.is_superuser and superuser:
request.superuser.set_logged_in(request.user)
# XXX(dcramer): awful hack to ensure future attempts to instantiate
# the Superuser object are successful
self.client.cookies[SU_COOKIE_NAME] = signing.get_cookie_signer(
salt=SU_COOKIE_NAME + SU_COOKIE_SALT,
).sign(request.superuser.token)
# Save the session values.
self.save_session()
def sign_cookie(self, request, value):
session_key = conf.get("SESSION_KEY")
cookies = request.COOKIES
signer = get_cookie_signer(session_key)
sign = signer.sign(value)
cookies[session_key] = sign
def set_signed_cookie(self, key, value, salt='', **kwargs):
value = signing.get_cookie_signer(salt=key + salt).sign(value)
return self.set_cookie(key, value, **kwargs)
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.signer = signing.get_cookie_signer(salt=self.key_salt)
def cookieclient(client, map):
key, value = map.signed_cookie_elements
client.cookies[key] = get_cookie_signer(salt=key).sign(value)
return client
def test_checkout_flow(product, variant, client):
"""
Basic test case that confirms if core checkout flow works
"""
# Prepare some data
variant.stock.create(quantity=100, location='Warehouse')
cart = Cart.objects.create()
cart.add(variant)
shipping_method = ShippingMethod.objects.create(name='DHL')
shipping_variant = shipping_method.price_per_country.create(price=10)
# Resolve urls
urls = {
'cart': reverse('cart:index'),
'checkout_index': reverse('checkout:index'),
'checkout_shipping_address': reverse('checkout:shipping-address'),
'checkout_shipping_method': reverse('checkout:shipping-method'),
'checkout_summary': reverse('checkout:summary')
}
# This is anonymous checkout, so cart token in stored in signed cookie
value = signing.get_cookie_signer(salt=Cart.COOKIE_NAME).sign(cart.token)
client.cookies[Cart.COOKIE_NAME] = value
# Go to cart page
cart_page = client.get(urls['cart'])
cart_lines = cart_page.context['cart_lines']
assert len(cart_lines) == cart.lines.count()
assert cart_lines[0]['product'] == variant
# Enter checkout
checkout_index = client.get(urls['checkout_index'])
# Checkout index redirects directly to shipping address step
assert_redirect(checkout_index, urls['checkout_shipping_address'])
shipping_address = client.get(urls['checkout_shipping_address'])
assert shipping_address.status_code == 200
# Enter shipping address data
shipping_data = {
'email': '*****@*****.**',
'first_name': 'John',
'last_name': 'Doe',
'street_address_1': 'Some street',
'street_address_2': '',
'city': 'Somewhere',
'city_area': '',
'country_area': '',
'postal_code': '50-123',
'country': 'PL'
}
shipping_response = client.post(urls['checkout_shipping_address'],
data=shipping_data)
# Select shipping method
assert_redirect(shipping_response, urls['checkout_shipping_method'])
shipping_method_page = client.get(urls['checkout_shipping_method'])
assert shipping_method_page.status_code == 200
# Redirect to summary after shipping method selection
shipping_method_response = client.post(urls['checkout_shipping_method'],
data={'method': shipping_method.pk})
assert_redirect(shipping_method_response, urls['checkout_summary'])
# Summary page asks for Billing address, default is the same as shipping
summary_response = client.post(urls['checkout_summary'],
data={'address': 'shipping_address'})
# After summary step, order is created and it waits for payment
order = Order.objects.latest('pk')
order_payment_url = reverse('order:payment', kwargs={'token': order.token})
assert_redirect(summary_response, order_payment_url)
payment_method_page = client.get(order_payment_url)
assert payment_method_page.status_code == 200
# Select payment method
payment_page = client.post(order_payment_url,
data={'method': 'default'},
follow=True)
assert len(payment_page.redirect_chain) == 1
assert payment_page.status_code == 200
# Go to payment details page, enter payment data
payment_page_url = payment_page.redirect_chain[0][0]
payment_data = {
'status': 'preauth',
'fraud_status': 'unknown',
'gateway_response': '3ds-disabled',
'verification_result': 'waiting'
}
payment_response = client.post(payment_page_url, data=payment_data)
assert payment_response.status_code == 302
# Target page contains full URL with domain from Site object
site = Site.objects.get_current()
order_details = reverse('order:details', kwargs={'token': order.token})
expected_url = 'http://%s%s' % (site, order_details)
assert payment_response['Location'] == expected_url
order_details_page = client.get(order_details)
assert order_details_page.status_code == 200
# Check if order has correct totals and payments
expected_total = variant.get_price() + shipping_variant.price
assert order.total == expected_total
assert order.payments.exists()
payment = order.payments.latest('pk')
assert payment.status == 'preauth'
assert order.status == OrderStatus.NEW
from django.core import signing
from django.test.utils import override_settings
from exam import fixture
from sentry.demo.demo_start import MEMBER_ID_COOKIE
from sentry.models import OrganizationStatus
from sentry.testutils import TestCase
from sentry.utils.compat import mock
signer = signing.get_cookie_signer(salt=MEMBER_ID_COOKIE)
@override_settings(DEMO_MODE=True, ROOT_URLCONF="sentry.demo.urls")
class DemoStartTeset(TestCase):
@fixture
def path(self):
return "/demo/start/"
def setUp(self):
super().setUp()
self.user = self.create_user()
self.org = self.create_organization()
self.member = self.create_member(organization=self.org,
role="member",
user=self.user)
@mock.patch("sentry.demo.demo_start.auth.login")
@mock.patch("sentry.demo.demo_org_manager.assign_demo_org")
def test_basic(self, mock_assign_demo_org, mock_auth_login):
mock_assign_demo_org.return_value = (self.org, self.user)
resp = self.client.post(self.path)
def set_signed_cookie(self, key, value, salt='', **kwargs):
value = signing.get_cookie_signer(salt=key + salt).sign(value)
return self.set_cookie(key, value, **kwargs)
from __future__ import unicode_literals
def cookieclient(client, anonymap):
key, value = anonymap.signed_cookie_elements
client.cookies[key] = get_cookie_signer(salt=key).sign(value)
return client
def test_checkout_flow(product_in_stock, client):
"""
Basic test case that confirms if core checkout flow works
"""
variant = product_in_stock.variants.get()
# Prepare some data
cart = Cart.objects.create()
cart.add(variant)
shipping_method = ShippingMethod.objects.create(name='DHL')
shipping_variant = shipping_method.price_per_country.create(price=10)
# Resolve urls
urls = {
'cart': reverse('cart:index'),
'checkout_index': reverse('checkout:index'),
'checkout_shipping_address': reverse('checkout:shipping-address'),
'checkout_shipping_method': reverse('checkout:shipping-method'),
'checkout_summary': reverse('checkout:summary')}
# This is anonymous checkout, so cart token in stored in signed cookie
value = signing.get_cookie_signer(salt=Cart.COOKIE_NAME).sign(cart.token)
client.cookies[Cart.COOKIE_NAME] = value
# Go to cart page
cart_page = client.get(urls['cart'])
cart_lines = cart_page.context['cart_lines']
assert len(cart_lines) == cart.lines.count()
assert cart_lines[0]['variant'] == variant
# Enter checkout
checkout_index = client.get(urls['checkout_index'])
# Checkout index redirects directly to shipping address step
assert_redirect(checkout_index, urls['checkout_shipping_address'])
shipping_address = client.get(urls['checkout_shipping_address'])
assert shipping_address.status_code == 200
# Enter shipping address data
shipping_data = {
'email': '*****@*****.**',
'first_name': 'John',
'last_name': 'Doe',
'street_address_1': 'Some street',
'street_address_2': '',
'city': 'Somewhere',
'city_area': '',
'country_area': '',
'postal_code': '50-123',
'country': 'PL'}
shipping_response = client.post(
urls['checkout_shipping_address'], data=shipping_data)
# Select shipping method
assert_redirect(shipping_response, urls['checkout_shipping_method'])
shipping_method_page = client.get(urls['checkout_shipping_method'])
assert shipping_method_page.status_code == 200
# Redirect to summary after shipping method selection
shipping_method_response = client.post(
urls['checkout_shipping_method'], data={'method': shipping_method.pk})
assert_redirect(shipping_method_response, urls['checkout_summary'])
# Summary page asks for Billing address, default is the same as shipping
summary_response = client.post(urls['checkout_summary'],
data={'address': 'shipping_address'})
# After summary step, order is created and it waits for payment
order = Order.objects.latest('pk')
order_payment_url = reverse('order:payment', kwargs={'token': order.token})
assert_redirect(summary_response, order_payment_url)
payment_method_page = client.get(order_payment_url)
assert payment_method_page.status_code == 200
# Select payment method
payment_page = client.post(order_payment_url, data={'method': 'default'},
follow=True)
assert len(payment_page.redirect_chain) == 1
assert payment_page.status_code == 200
# Go to payment details page, enter payment data
payment_page_url = payment_page.redirect_chain[0][0]
payment_data = {
'status': 'preauth',
'fraud_status': 'unknown',
'gateway_response': '3ds-disabled',
'verification_result': 'waiting'}
payment_response = client.post(payment_page_url, data=payment_data)
assert payment_response.status_code == 302
# Target page contains full URL with domain from Site object
site = Site.objects.get_current()
order_details = reverse('order:details', kwargs={'token': order.token})
expected_url = 'http://%s%s' % (site, order_details)
assert payment_response['Location'] == expected_url
order_details_page = client.get(order_details)
assert order_details_page.status_code == 200
# Check if order has correct totals and payments
expected_total = variant.get_price() + shipping_variant.price
assert order.total == expected_total
assert order.payments.exists()
payment = order.payments.latest('pk')
assert payment.status == 'preauth'
assert order.status == OrderStatus.NEW
def sign_cookie(self, request, value):
session_key = conf.get("SESSION_KEY")
cookies = request.COOKIES
signer = get_cookie_signer(session_key)
sign = signer.sign(value)
cookies[session_key] = sign
