def test_cookie_probe_incorrect(render_template, current_app, app, cookie_kv):
current_app.config = {
"DM_COOKIE_PROBE_COOKIE_NAME": "foo",
"DM_COOKIE_PROBE_COOKIE_VALUE": "bar",
"DM_COOKIE_PROBE_EXPECT_PRESENT": True,
}
render_template.return_value = "<html>Oh dear</html>"
with app.test_request_context('/',
environ_base=cookie_kv and {
"HTTP_COOKIE": dump_cookie(*cookie_kv),
}):
app.config['WTF_CSRF_ENABLED'] = True
app.register_blueprint(external_blueprint)
response, status_code = csrf_handler(CSRFError())
assert response == render_template.return_value
assert status_code == 400
assert render_template.mock_calls == [
mock.call(
"errors/400.html",
error_message=
"This feature requires cookies to be enabled for correct operation",
)
]
def go_to_network(tries=0):
c = Client(mock=False)
form = GoToNetworkForm(request.form)
if not form.validate():
raise CSRFError()
curr_loc_query = request.form['curr_loc']
try:
if request.form.get('language', None):
networks = c.get_networks(1,
near_location=curr_loc_query,
language=request.form['language'])
elif request.form.get('from_loc', None):
networks = c.get_networks(1,
near_location=curr_loc_query,
from_location=request.form['from_loc'])
else:
abort(HTTPStatus.BAD_REQUEST)
except requests.exceptions.ConnectionError as e:
# Let's keep trying, but less agressively.
if tries >= GO_TO_NETWORK_MAX_RETRIES:
raise e
time.sleep(GO_TO_NETWORK_WAIT_SECS)
go_to_network(tries + 1)
if len(networks) != 1:
abort(HTTPStatus.INTERNAL_SERVER_ERROR)
return redirect(url_for('networks.network', id=str(networks[0]['id'])))
def test_csrf_redirects_to_sign_in_page_if_not_signed_in(client, mocker):
csrf_err = CSRFError('400 Bad Request: The CSRF tokens do not match.')
mocker.patch('app.main.views.index.render_template', side_effect=csrf_err)
response = client.get('/cookies')
assert response.status_code == 302
assert response.location == url_for('main.sign_in', next='/cookies', _external=True)
def test_csrf_redirects_to_sign_in_page_if_not_signed_in(client, mocker):
csrf_err = CSRFError("400 Bad Request: The CSRF tokens do not match.")
mocker.patch("app.main.views.index.render_template", side_effect=csrf_err)
response = client.get("/accounts")
assert response.status_code == 302
assert response.location == url_for("main.sign_in",
next="/accounts",
_external=True)
def test_csrf_returns_400(logged_in_client, mocker):
# we turn off CSRF handling for tests, so fake a CSRF response here.
csrf_err = CSRFError('400 Bad Request: The CSRF tokens do not match.')
mocker.patch('app.main.views.index.render_template', side_effect=csrf_err)
response = logged_in_client.get('/cookies')
assert response.status_code == 400
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.h1.string.strip() == 'Something went wrong, please go back and try again.'
def test_csrf_returns_400(logged_in_client, mocker):
# we turn off CSRF handling for tests, so fake a CSRF response here.
csrf_err = CSRFError('400 Bad Request: The CSRF tokens do not match.')
mocker.patch('app.main.views.index.render_template', side_effect=csrf_err)
response = logged_in_client.get('/cookies')
assert response.status_code == 400
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.h1.string.strip(
) == 'Sorry, there’s a problem with GOV.UK Notify'
assert page.title.string.strip(
) == 'Sorry, there’s a problem with the service – GOV.UK Notify'
def test_csrf_returns_400(client, mocker, sample_service):
# we turn off CSRF handling for tests, so fake a CSRF response here.
csrf_err = CSRFError('400 Bad Request: The CSRF tokens do not match.')
mocker.patch('app.service_api_client.get_service',
return_value={'data': sample_service})
mocker.patch('app.main.views.index.render_template', side_effect=csrf_err)
mocker.patch('app.main.views.index.is_file_available', return_value=True)
response = client.get(
url_for('main.landing',
service_id=uuid.uuid4(),
document_id=uuid.uuid4(),
key='1234'))
assert response.status_code == 400
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
assert page.h1.string.strip() == 'Page not found'
def test_csrf_handler_redirects_to_login(current_app, user_session, app,
cookie_probe_expect_present):
current_app.config = {
"DM_COOKIE_PROBE_COOKIE_NAME": "foo",
"DM_COOKIE_PROBE_COOKIE_VALUE": "bar",
"DM_COOKIE_PROBE_EXPECT_PRESENT": cookie_probe_expect_present,
}
with app.test_request_context(
'/',
environ_base={
"HTTP_COOKIE":
dump_cookie(
current_app.config["DM_COOKIE_PROBE_COOKIE_NAME"],
current_app.config["DM_COOKIE_PROBE_COOKIE_VALUE"],
),
}):
app.config['WTF_CSRF_ENABLED'] = True
app.register_blueprint(external_blueprint)
if user_session:
# Our user is logged in
session['user_id'] = 1234
response = csrf_handler(CSRFError())
assert response.status_code == 302
assert response.location == '/user/login?next=%2F'
if user_session:
assert current_app.logger.info.call_args_list == [
mock.call(
'csrf.invalid_token: Aborting request, user_id: {user_id}',
extra={'user_id': 1234})
]
else:
assert current_app.logger.info.call_args_list == [
mock.call(
'csrf.session_expired: Redirecting user to log in page')
]
def it_returns_400_for_csrf_error(self, mocker, client, mock_admin_logged_in):
csrf_err = CSRFError('400 Bad Request: The CSRF tokens do not match.')
mocker.patch('app.main.views.admin.admin.render_template', side_effect=csrf_err)
users = [
{
'access_area': 'admin'
},
{
'id': 'test id',
'email': '*****@*****.**',
'access_area': 'email,event,'
}
]
mocker.patch('app.api_client.get_users', return_value=users)
response = client.get(url_for('main.admin_users'))
assert response.status_code == 400
page = BeautifulSoup(response.data.decode('utf-8'), 'html.parser')
message = page.select_one('p')
assert message.text.strip() == 'Something went wrong, please go back and try again.'