コード例 #1
0
class DropdownWithAuthTests(TestCase):
    """Tests correct dropdown behaviour with Auth views enabled."""
    def setUp(self):
        self.client = APIClient(enforce_csrf_checks=True)
        self.username = '******'
        self.email = '*****@*****.**'
        self.password = '******'
        self.user = User.objects.create_user(self.username, self.email,
                                             self.password)

    def tearDown(self):
        self.client.logout()

    def test_name_shown_when_logged_in(self):
        self.client.login(username=self.username, password=self.password)
        response = self.client.get('/')
        content = response.content.decode('utf8')
        assert 'john' in content

    def test_logout_shown_when_logged_in(self):
        self.client.login(username=self.username, password=self.password)
        response = self.client.get('/')
        content = response.content.decode('utf8')
        assert '>Log out<' in content

    def test_login_shown_when_logged_out(self):
        response = self.client.get('/')
        content = response.content.decode('utf8')
        assert '>Log in<' in content
コード例 #2
0
class SessionAuthTests(TestCase):
    """User session authentication"""
    def setUp(self):
        self.csrf_client = APIClient(enforce_csrf_checks=True)
        self.non_csrf_client = APIClient(enforce_csrf_checks=False)
        self.username = '******'
        self.email = '*****@*****.**'
        self.password = '******'
        self.user = User.objects.create_user(self.username, self.email,
                                             self.password)

    def tearDown(self):
        self.csrf_client.logout()

    def test_login_view_renders_on_get(self):
        """
        Ensure the login template renders for a basic GET.

        cf. [#1810](https://github.com/encode/django-rest-framework/pull/1810)
        """
        response = self.csrf_client.get('/auth/login/')
        content = response.content.decode('utf8')
        assert '<label for="id_username">Username:</label>' in content

    def test_post_form_session_auth_failing_csrf(self):
        """
        Ensure POSTing form over session authentication without CSRF token fails.
        """
        self.csrf_client.login(username=self.username, password=self.password)
        response = self.csrf_client.post('/session/', {'example': 'example'})
        assert response.status_code == status.HTTP_403_FORBIDDEN

    def test_post_form_session_auth_passing_csrf(self):
        """
        Ensure POSTing form over session authentication with CSRF token succeeds.
        Regression test for #6088
        """
        from django.middleware.csrf import _get_new_csrf_token

        self.csrf_client.login(username=self.username, password=self.password)

        # Set the csrf_token cookie so that CsrfViewMiddleware._get_token() works
        token = _get_new_csrf_token()
        self.csrf_client.cookies[settings.CSRF_COOKIE_NAME] = token

        # Post the token matching the cookie value
        response = self.csrf_client.post('/session/', {
            'example': 'example',
            'csrfmiddlewaretoken': token,
        })
        assert response.status_code == status.HTTP_200_OK

    def test_post_form_session_auth_passing(self):
        """
        Ensure POSTing form over session authentication with logged in
        user and CSRF token passes.
        """
        self.non_csrf_client.login(username=self.username,
                                   password=self.password)
        response = self.non_csrf_client.post('/session/',
                                             {'example': 'example'})
        assert response.status_code == status.HTTP_200_OK

    def test_put_form_session_auth_passing(self):
        """
        Ensure PUTting form over session authentication with
        logged in user and CSRF token passes.
        """
        self.non_csrf_client.login(username=self.username,
                                   password=self.password)
        response = self.non_csrf_client.put('/session/',
                                            {'example': 'example'})
        assert response.status_code == status.HTTP_200_OK

    def test_post_form_session_auth_failing(self):
        """
        Ensure POSTing form over session authentication without logged in user fails.
        """
        response = self.csrf_client.post('/session/', {'example': 'example'})
        assert response.status_code == status.HTTP_403_FORBIDDEN
コード例 #3
0
class TestAPITestClient(TestCase):
    def setUp(self):
        self.client = APIClient()

    def test_credentials(self):
        """
        Setting `.credentials()` adds the required headers to each request.
        """
        self.client.credentials(HTTP_AUTHORIZATION='example')
        for _ in range(0, 3):
            response = self.client.get('/view/')
            assert response.data['auth'] == 'example'

    def test_force_authenticate(self):
        """
        Setting `.force_authenticate()` forcibly authenticates each request.
        """
        user = User.objects.create_user('example', '*****@*****.**')
        self.client.force_authenticate(user)
        response = self.client.get('/view/')
        assert response.data['user'] == 'example'

    def test_force_authenticate_with_sessions(self):
        """
        Setting `.force_authenticate()` forcibly authenticates each request.
        """
        user = User.objects.create_user('example', '*****@*****.**')
        self.client.force_authenticate(user)

        # First request does not yet have an active session
        response = self.client.get('/session-view/')
        assert response.data['active_session'] is False

        # Subsequent requests have an active session
        response = self.client.get('/session-view/')
        assert response.data['active_session'] is True

        # Force authenticating as `None` should also logout the user session.
        self.client.force_authenticate(None)
        response = self.client.get('/session-view/')
        assert response.data['active_session'] is False

    def test_csrf_exempt_by_default(self):
        """
        By default, the test client is CSRF exempt.
        """
        User.objects.create_user('example', '*****@*****.**', 'password')
        self.client.login(username='******', password='******')
        response = self.client.post('/view/')
        assert response.status_code == 200

    def test_explicitly_enforce_csrf_checks(self):
        """
        The test client can enforce CSRF checks.
        """
        client = APIClient(enforce_csrf_checks=True)
        User.objects.create_user('example', '*****@*****.**', 'password')
        client.login(username='******', password='******')
        response = client.post('/view/')
        expected = {'detail': 'CSRF Failed: CSRF cookie not set.'}
        assert response.status_code == 403
        assert response.data == expected

    def test_can_logout(self):
        """
        `logout()` resets stored credentials
        """
        self.client.credentials(HTTP_AUTHORIZATION='example')
        response = self.client.get('/view/')
        assert response.data['auth'] == 'example'
        self.client.logout()
        response = self.client.get('/view/')
        assert response.data['auth'] == b''

    def test_logout_resets_force_authenticate(self):
        """
        `logout()` resets any `force_authenticate`
        """
        user = User.objects.create_user('example', '*****@*****.**', 'password')
        self.client.force_authenticate(user)
        response = self.client.get('/view/')
        assert response.data['user'] == 'example'
        self.client.logout()
        response = self.client.get('/view/')
        assert response.data['user'] == ''

    def test_follow_redirect(self):
        """
        Follow redirect by setting follow argument.
        """
        response = self.client.get('/redirect-view/')
        assert response.status_code == 302
        response = self.client.get('/redirect-view/', follow=True)
        assert response.redirect_chain is not None
        assert response.status_code == 200

        response = self.client.post('/redirect-view/')
        assert response.status_code == 302
        response = self.client.post('/redirect-view/', follow=True)
        assert response.redirect_chain is not None
        assert response.status_code == 200

        response = self.client.put('/redirect-view/')
        assert response.status_code == 302
        response = self.client.put('/redirect-view/', follow=True)
        assert response.redirect_chain is not None
        assert response.status_code == 200

        response = self.client.patch('/redirect-view/')
        assert response.status_code == 302
        response = self.client.patch('/redirect-view/', follow=True)
        assert response.redirect_chain is not None
        assert response.status_code == 200

        response = self.client.delete('/redirect-view/')
        assert response.status_code == 302
        response = self.client.delete('/redirect-view/', follow=True)
        assert response.redirect_chain is not None
        assert response.status_code == 200

        response = self.client.options('/redirect-view/')
        assert response.status_code == 302
        response = self.client.options('/redirect-view/', follow=True)
        assert response.redirect_chain is not None
        assert response.status_code == 200

    def test_invalid_multipart_data(self):
        """
        MultiPart encoding cannot support nested data, so raise a helpful
        error if the user attempts to do so.
        """
        self.assertRaises(
            AssertionError, self.client.post,
            path='/view/', data={'valid': 123, 'invalid': {'a': 123}}
        )

    def test_empty_post_uses_default_boolean_value(self):
        response = self.client.post(
            '/post-view/',
            data=None,
            content_type='application/json'
        )
        assert response.status_code == 200
        assert response.data == {"flag": True}