def unsign_subdomain_cookie(result): # type: (HttpResponse) -> Dict[str, Any] key = 'subdomain.signature' salt = key + 'zerver.views.auth' cookie = result.cookies.get(key) value = signing.get_cookie_signer(salt=salt).unsign(cookie.value, max_age=15) return ujson.loads(value)
def test_reset_cookie(self): from django.core.signing import SignatureExpired request = get_request() storage = self.get_storage()('wizard1', request, None) storage.data = {'key1': 'value1'} response = HttpResponse() storage.update_response(response) cookie_signer = signing.get_cookie_signer(storage.prefix) signed_cookie_data = cookie_signer.sign(storage.encoder.encode(storage.data)) # signing with different timestamps generates different signatures self.assertNotEqual(response.cookies[storage.prefix].value, signed_cookie_data) self.assertEqual(cookie_signer.unsign(response.cookies[storage.prefix].value), cookie_signer.unsign(signed_cookie_data)) self.assertRaises(SignatureExpired, lambda: cookie_signer.unsign(value=response.cookies[storage.prefix].value, max_age=0)) self.assertEqual(cookie_signer.unsign(value=response.cookies[storage.prefix].value, max_age=10), cookie_signer.unsign(signed_cookie_data)) storage.init_data() storage.update_response(response) unsigned_cookie_data = cookie_signer.unsign(response.cookies[storage.prefix].value) self.assertEqual(unsigned_cookie_data, '{"step_files":{},"step":null,"extra_data":{},"step_data":{}}')
def setUp(self): super(AnonymousMapViews, self).setUp() self.anonymous_map = MapFactory( name="an-anonymous-map", owner=None, ) key, value = self.anonymous_map.signed_cookie_elements self.anonymous_cookie_key = key self.anonymous_cookie_value = get_cookie_signer(salt=key).sign(value)
def test_login_with_incorrect_cookie_token(customer_user, client): value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign('incorrect') client.cookies[utils.COOKIE_NAME] = value response = client.post( reverse('account:login'), {'username': customer_user.email, 'password': '******'}, follow=True) assert response.context['user'] == customer_user authenticated_user_carts = customer_user.carts.all() assert authenticated_user_carts.count() == 0
def test_login_with_incorrect_cookie_token(customer_user, client): value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign('incorrect') client.cookies[utils.COOKIE_NAME] = value response = client.post( '/account/login', {'login': customer_user.email, 'password': '******'}) assert response.context['user'] == customer_user authenticated_user_carts = customer_user.carts.filter( status=CartStatus.OPEN) assert authenticated_user_carts.count() == 0
def test_login_with_incorrect_cookie_token(customer_user, client): value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign("incorrect") client.cookies[utils.COOKIE_NAME] = value response = client.post( reverse("account:login"), {"username": customer_user.email, "password": "******"}, follow=True, ) assert response.context["user"] == customer_user authenticated_user_checkouts = customer_user.checkouts.all() assert authenticated_user_checkouts.count() == 0
def test_manipulated_cookie(self): request = get_request() storage = self.get_storage()('wizard1', request, None) cookie_signer = signing.get_cookie_signer(storage.prefix) storage.request.COOKIES[storage.prefix] = cookie_signer.sign( storage.encoder.encode({'key1': 'value1'})) self.assertEqual(storage.load_data(), {'key1': 'value1'}) storage.request.COOKIES[storage.prefix] = 'i_am_manipulated' self.assertIsNone(storage.load_data())
def test_find_and_assign_anonymous_cart(anonymous_cart, customer_user, client): cart_token = anonymous_cart.token # Anonymous user has a cart with token stored in cookie value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign(cart_token) client.cookies[utils.COOKIE_NAME] = value # Anonymous logs in response = client.post( reverse('account:login'), {'username': customer_user.email, 'password': '******'}, follow=True) assert response.context['user'] == customer_user # User should have only one cart, the same as he had previously in # anonymous session authenticated_user_carts = customer_user.carts.all() assert authenticated_user_carts.count() == 1 assert authenticated_user_carts[0].token == cart_token
def test_reset_cookie(self): request = get_request() storage = self.get_storage()('wizard1', request, None) storage.data = {'key1': 'value1'} response = HttpResponse() storage.update_response(response) cookie_signer = signing.get_cookie_signer(storage.prefix) signed_cookie_data = cookie_signer.sign(storage.encoder.encode(storage.data)) self.assertEqual(response.cookies[storage.prefix].value, signed_cookie_data) storage.init_data() storage.update_response(response) unsigned_cookie_data = cookie_signer.unsign(response.cookies[storage.prefix].value) self.assertEqual(unsigned_cookie_data, '{"step_files":{},"step":null,"extra_data":{},"step_data":{}}')
def test_find_and_assign_anonymous_cart( opened_anonymous_cart, customer_user, client): cart_token = opened_anonymous_cart.token # Anonymous user has a cart with token stored in cookie value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign(cart_token) client.cookies[utils.COOKIE_NAME] = value # Anonymous logs in response = client.post( '/account/login', {'login': customer_user.email, 'password': '******'}) assert response.context['user'] == customer_user # User should have only one cart, the same as he had previously in # anonymous session authenticated_user_carts = customer_user.carts.filter( status=CartStatus.OPEN) assert authenticated_user_carts.count() == 1 assert authenticated_user_carts[0].token == cart_token
def login_as(self, user, organization_id=None, organization_ids=None, superuser=False, superuser_sso=True): user.backend = settings.AUTHENTICATION_BACKENDS[0] request = self.make_request() login(request, user) request.user = user if organization_ids is None: organization_ids = set() else: organization_ids = set(organization_ids) if superuser and superuser_sso is not False: if SU_ORG_ID: organization_ids.add(SU_ORG_ID) if organization_id: organization_ids.add(organization_id) # TODO(dcramer): ideally this would get abstracted if organization_ids: request.session[SSO_SESSION_KEY] = ','.join( six.text_type(o) for o in organization_ids) # logging in implicitly binds superuser, but for test cases we # want that action to be explicit to avoid accidentally testing # superuser-only code if not superuser: # XXX(dcramer): we're calling the internal method to avoid logging request.superuser._set_logged_out() elif request.user.is_superuser and superuser: request.superuser.set_logged_in(request.user) # XXX(dcramer): awful hack to ensure future attempts to instantiate # the Superuser object are successful self.save_cookie( name=SU_COOKIE_NAME, value=signing.get_cookie_signer( salt=SU_COOKIE_NAME + SU_COOKIE_SALT, ).sign(request.superuser.token), max_age=None, path=SU_COOKIE_PATH, domain=SU_COOKIE_DOMAIN, secure=SU_COOKIE_SECURE or None, expires=None, ) # Save the session values. self.save_session()
def test_find_and_assign_anonymous_checkout(anonymous_checkout, customer_user, client): checkout_token = anonymous_checkout.token # Anonymous user has a checkout with token stored in cookie value = signing.get_cookie_signer(salt=utils.COOKIE_NAME).sign(checkout_token) client.cookies[utils.COOKIE_NAME] = value # Anonymous logs in response = client.post( reverse("account:login"), {"username": customer_user.email, "password": "******"}, follow=True, ) assert response.context["user"] == customer_user # User should have only one checkout, the same as he had previously in # anonymous session authenticated_user_checkouts = customer_user.checkouts.all() assert authenticated_user_checkouts.count() == 1 assert authenticated_user_checkouts[0].token == checkout_token
def build_request(self, cookie_token=UNSET, session_token=UNSET, expires=UNSET, idle_expires=UNSET, uid=UNSET, session_data=True, user=None): if user is None: user = self.create_user('*****@*****.**', is_superuser=True) current_datetime = self.current_datetime request = self.make_request(user=user) if cookie_token is not None: request.COOKIES[COOKIE_NAME] = signing.get_cookie_signer( salt=COOKIE_NAME + COOKIE_SALT, ).sign(self.default_token if cookie_token is UNSET else cookie_token) if session_data: request.session[SESSION_KEY] = { 'exp': (current_datetime + timedelta(hours=6) if expires is UNSET else expires).strftime('%s'), 'idl': (current_datetime + timedelta(minutes=15) if idle_expires is UNSET else idle_expires).strftime('%s'), 'tok': self.default_token if session_token is UNSET else session_token, 'uid': six.text_type(user.id) if uid is UNSET else uid, } return request
def get_signed_cookie(self, key, default=RAISE_ERROR, salt="", max_age=None): """ Attempts to return a signed cookie. If the signature fails or the cookie has expired, raises an exception... unless you provide the default argument in which case that value will be returned instead. """ try: cookie_value = self.COOKIES[key] except KeyError: if default is not RAISE_ERROR: return default else: raise try: value = signing.get_cookie_signer(salt=key + salt).unsign(cookie_value, max_age=max_age) except signing.BadSignature: if default is not RAISE_ERROR: return default else: raise return value
def get_signed_cookie(self, key, default=RAISE_ERROR, salt='', max_age=None): """ Attempt to return a signed cookie. If the signature fails or the cookie has expired, raise an exception, unless the `default` argument is provided, in which case return that value. """ try: cookie_value = self.COOKIES[key] except KeyError: if default is not RAISE_ERROR: return default else: raise try: value = signing.get_cookie_signer(salt=key + salt).unsign( cookie_value, max_age=max_age) except signing.BadSignature: if default is not RAISE_ERROR: return default else: raise return value
def login_as(self, user, organization_id=None, superuser=False): user.backend = settings.AUTHENTICATION_BACKENDS[0] request = self.make_request() login(request, user) request.user = user if organization_id: request.session[SSO_SESSION_KEY] = six.text_type(organization_id) # logging in implicitly binds superuser, but for test cases we # want that action to be explicit to avoid accidentally testing # superuser-only code if not superuser: # XXX(dcramer): we're calling the internal method to avoid logging request.superuser._set_logged_out() elif request.user.is_superuser and superuser: request.superuser.set_logged_in(request.user) # XXX(dcramer): awful hack to ensure future attempts to instantiate # the Superuser object are successful self.client.cookies[SU_COOKIE_NAME] = signing.get_cookie_signer( salt=SU_COOKIE_NAME + SU_COOKIE_SALT, ).sign(request.superuser.token) # Save the session values. self.save_session()
def sign_cookie(self, request, value): session_key = conf.get("SESSION_KEY") cookies = request.COOKIES signer = get_cookie_signer(session_key) sign = signer.sign(value) cookies[session_key] = sign
def set_signed_cookie(self, key, value, salt='', **kwargs): value = signing.get_cookie_signer(salt=key + salt).sign(value) return self.set_cookie(key, value, **kwargs)
def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.signer = signing.get_cookie_signer(salt=self.key_salt)
def cookieclient(client, map): key, value = map.signed_cookie_elements client.cookies[key] = get_cookie_signer(salt=key).sign(value) return client
def test_checkout_flow(product, variant, client): """ Basic test case that confirms if core checkout flow works """ # Prepare some data variant.stock.create(quantity=100, location='Warehouse') cart = Cart.objects.create() cart.add(variant) shipping_method = ShippingMethod.objects.create(name='DHL') shipping_variant = shipping_method.price_per_country.create(price=10) # Resolve urls urls = { 'cart': reverse('cart:index'), 'checkout_index': reverse('checkout:index'), 'checkout_shipping_address': reverse('checkout:shipping-address'), 'checkout_shipping_method': reverse('checkout:shipping-method'), 'checkout_summary': reverse('checkout:summary') } # This is anonymous checkout, so cart token in stored in signed cookie value = signing.get_cookie_signer(salt=Cart.COOKIE_NAME).sign(cart.token) client.cookies[Cart.COOKIE_NAME] = value # Go to cart page cart_page = client.get(urls['cart']) cart_lines = cart_page.context['cart_lines'] assert len(cart_lines) == cart.lines.count() assert cart_lines[0]['product'] == variant # Enter checkout checkout_index = client.get(urls['checkout_index']) # Checkout index redirects directly to shipping address step assert_redirect(checkout_index, urls['checkout_shipping_address']) shipping_address = client.get(urls['checkout_shipping_address']) assert shipping_address.status_code == 200 # Enter shipping address data shipping_data = { 'email': '*****@*****.**', 'first_name': 'John', 'last_name': 'Doe', 'street_address_1': 'Some street', 'street_address_2': '', 'city': 'Somewhere', 'city_area': '', 'country_area': '', 'postal_code': '50-123', 'country': 'PL' } shipping_response = client.post(urls['checkout_shipping_address'], data=shipping_data) # Select shipping method assert_redirect(shipping_response, urls['checkout_shipping_method']) shipping_method_page = client.get(urls['checkout_shipping_method']) assert shipping_method_page.status_code == 200 # Redirect to summary after shipping method selection shipping_method_response = client.post(urls['checkout_shipping_method'], data={'method': shipping_method.pk}) assert_redirect(shipping_method_response, urls['checkout_summary']) # Summary page asks for Billing address, default is the same as shipping summary_response = client.post(urls['checkout_summary'], data={'address': 'shipping_address'}) # After summary step, order is created and it waits for payment order = Order.objects.latest('pk') order_payment_url = reverse('order:payment', kwargs={'token': order.token}) assert_redirect(summary_response, order_payment_url) payment_method_page = client.get(order_payment_url) assert payment_method_page.status_code == 200 # Select payment method payment_page = client.post(order_payment_url, data={'method': 'default'}, follow=True) assert len(payment_page.redirect_chain) == 1 assert payment_page.status_code == 200 # Go to payment details page, enter payment data payment_page_url = payment_page.redirect_chain[0][0] payment_data = { 'status': 'preauth', 'fraud_status': 'unknown', 'gateway_response': '3ds-disabled', 'verification_result': 'waiting' } payment_response = client.post(payment_page_url, data=payment_data) assert payment_response.status_code == 302 # Target page contains full URL with domain from Site object site = Site.objects.get_current() order_details = reverse('order:details', kwargs={'token': order.token}) expected_url = 'http://%s%s' % (site, order_details) assert payment_response['Location'] == expected_url order_details_page = client.get(order_details) assert order_details_page.status_code == 200 # Check if order has correct totals and payments expected_total = variant.get_price() + shipping_variant.price assert order.total == expected_total assert order.payments.exists() payment = order.payments.latest('pk') assert payment.status == 'preauth' assert order.status == OrderStatus.NEW
from django.core import signing from django.test.utils import override_settings from exam import fixture from sentry.demo.demo_start import MEMBER_ID_COOKIE from sentry.models import OrganizationStatus from sentry.testutils import TestCase from sentry.utils.compat import mock signer = signing.get_cookie_signer(salt=MEMBER_ID_COOKIE) @override_settings(DEMO_MODE=True, ROOT_URLCONF="sentry.demo.urls") class DemoStartTeset(TestCase): @fixture def path(self): return "/demo/start/" def setUp(self): super().setUp() self.user = self.create_user() self.org = self.create_organization() self.member = self.create_member(organization=self.org, role="member", user=self.user) @mock.patch("sentry.demo.demo_start.auth.login") @mock.patch("sentry.demo.demo_org_manager.assign_demo_org") def test_basic(self, mock_assign_demo_org, mock_auth_login): mock_assign_demo_org.return_value = (self.org, self.user) resp = self.client.post(self.path)
from __future__ import unicode_literals
def cookieclient(client, anonymap): key, value = anonymap.signed_cookie_elements client.cookies[key] = get_cookie_signer(salt=key).sign(value) return client
def test_checkout_flow(product_in_stock, client): """ Basic test case that confirms if core checkout flow works """ variant = product_in_stock.variants.get() # Prepare some data cart = Cart.objects.create() cart.add(variant) shipping_method = ShippingMethod.objects.create(name='DHL') shipping_variant = shipping_method.price_per_country.create(price=10) # Resolve urls urls = { 'cart': reverse('cart:index'), 'checkout_index': reverse('checkout:index'), 'checkout_shipping_address': reverse('checkout:shipping-address'), 'checkout_shipping_method': reverse('checkout:shipping-method'), 'checkout_summary': reverse('checkout:summary')} # This is anonymous checkout, so cart token in stored in signed cookie value = signing.get_cookie_signer(salt=Cart.COOKIE_NAME).sign(cart.token) client.cookies[Cart.COOKIE_NAME] = value # Go to cart page cart_page = client.get(urls['cart']) cart_lines = cart_page.context['cart_lines'] assert len(cart_lines) == cart.lines.count() assert cart_lines[0]['variant'] == variant # Enter checkout checkout_index = client.get(urls['checkout_index']) # Checkout index redirects directly to shipping address step assert_redirect(checkout_index, urls['checkout_shipping_address']) shipping_address = client.get(urls['checkout_shipping_address']) assert shipping_address.status_code == 200 # Enter shipping address data shipping_data = { 'email': '*****@*****.**', 'first_name': 'John', 'last_name': 'Doe', 'street_address_1': 'Some street', 'street_address_2': '', 'city': 'Somewhere', 'city_area': '', 'country_area': '', 'postal_code': '50-123', 'country': 'PL'} shipping_response = client.post( urls['checkout_shipping_address'], data=shipping_data) # Select shipping method assert_redirect(shipping_response, urls['checkout_shipping_method']) shipping_method_page = client.get(urls['checkout_shipping_method']) assert shipping_method_page.status_code == 200 # Redirect to summary after shipping method selection shipping_method_response = client.post( urls['checkout_shipping_method'], data={'method': shipping_method.pk}) assert_redirect(shipping_method_response, urls['checkout_summary']) # Summary page asks for Billing address, default is the same as shipping summary_response = client.post(urls['checkout_summary'], data={'address': 'shipping_address'}) # After summary step, order is created and it waits for payment order = Order.objects.latest('pk') order_payment_url = reverse('order:payment', kwargs={'token': order.token}) assert_redirect(summary_response, order_payment_url) payment_method_page = client.get(order_payment_url) assert payment_method_page.status_code == 200 # Select payment method payment_page = client.post(order_payment_url, data={'method': 'default'}, follow=True) assert len(payment_page.redirect_chain) == 1 assert payment_page.status_code == 200 # Go to payment details page, enter payment data payment_page_url = payment_page.redirect_chain[0][0] payment_data = { 'status': 'preauth', 'fraud_status': 'unknown', 'gateway_response': '3ds-disabled', 'verification_result': 'waiting'} payment_response = client.post(payment_page_url, data=payment_data) assert payment_response.status_code == 302 # Target page contains full URL with domain from Site object site = Site.objects.get_current() order_details = reverse('order:details', kwargs={'token': order.token}) expected_url = 'http://%s%s' % (site, order_details) assert payment_response['Location'] == expected_url order_details_page = client.get(order_details) assert order_details_page.status_code == 200 # Check if order has correct totals and payments expected_total = variant.get_price() + shipping_variant.price assert order.total == expected_total assert order.payments.exists() payment = order.payments.latest('pk') assert payment.status == 'preauth' assert order.status == OrderStatus.NEW