def test_unsafe_method_wrong_token(self, method, headers, post, scheme, scope): request = pretend.stub( headers=headers, method=method, scheme=scheme, host_url="https://a.example.com/", session=pretend.stub( get_scoped_csrf_token=pretend.call_recorder( lambda scope: "123456" ), get_csrf_token=pretend.call_recorder(lambda: "123456"), ), POST=post, ) request._process_csrf = True request._csrf_scope = scope with pytest.raises(csrf.InvalidCSRF) as exc: csrf._check_csrf(request) assert exc.value.args[0] == csrf.REASON_BAD_TOKEN if scope is not None: assert request.session.get_scoped_csrf_token.calls == [ pretend.call(scope), ] assert request.session.get_csrf_token.calls == [] else: assert request.session.get_csrf_token.calls == [pretend.call()] assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_via_header(self, method, headers, scheme, scope): headers.update({"CSRFToken": "123456"}) request = pretend.stub( headers=headers, method=method, scheme=scheme, host_url="https://a.example.com/", session=pretend.stub( get_scoped_csrf_token=pretend.call_recorder( lambda scope: "123456" ), get_csrf_token=pretend.call_recorder(lambda: "123456"), ), POST={}, ) request._process_csrf = True request._csrf_scope = scope csrf._check_csrf(request) if scope is not None: assert request.session.get_scoped_csrf_token.calls == [ pretend.call(scope), ] assert request.session.get_csrf_token.calls == [] else: assert request.session.get_csrf_token.calls == [pretend.call()] assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_via_header(self, method, headers, scheme, scope): headers.update({"CSRFToken": "123456"}) request = pretend.stub( headers=headers, method=method, scheme=scheme, host_url="https://a.example.com/", session=pretend.stub( get_scoped_csrf_token=pretend.call_recorder( lambda scope: "123456"), get_csrf_token=pretend.call_recorder(lambda: "123456"), ), POST={}, ) request._process_csrf = True request._csrf_scope = scope csrf._check_csrf(request) if scope is not None: assert request.session.get_scoped_csrf_token.calls == [ pretend.call(scope), ] assert request.session.get_csrf_token.calls == [] else: assert request.session.get_csrf_token.calls == [pretend.call()] assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_wrong_token(self, method, headers, post, scheme, scope): request = pretend.stub( headers=headers, method=method, scheme=scheme, host_url="https://a.example.com/", session=pretend.stub( get_scoped_csrf_token=pretend.call_recorder( lambda scope: "123456"), get_csrf_token=pretend.call_recorder(lambda: "123456"), ), POST=post, ) request._process_csrf = True request._csrf_scope = scope with pytest.raises(csrf.InvalidCSRF) as exc: csrf._check_csrf(request) assert exc.value.args[0] == csrf.REASON_BAD_TOKEN if scope is not None: assert request.session.get_scoped_csrf_token.calls == [ pretend.call(scope), ] assert request.session.get_csrf_token.calls == [] else: assert request.session.get_csrf_token.calls == [pretend.call()] assert request.session.get_scoped_csrf_token.calls == []
def test_unsafe_method_https_no_origin(self, method): request = pretend.stub(headers={}, method=method, scheme="https") request._process_csrf = True with pytest.raises(csrf.InvalidCSRF) as exc: csrf._check_csrf(request) assert exc.value.args[0] == csrf.REASON_NO_ORIGIN
def test_unsafe_method_no_process(self, method): request = pretend.stub(method=method) with pytest.raises(HTTPMethodNotAllowed): csrf._check_csrf(request) request = pretend.stub(method=method) request._process_csrf = None with pytest.raises(HTTPMethodNotAllowed): csrf._check_csrf(request)
def test_unsafe_method_https_origin_invalid(self, method, headers): request = pretend.stub( headers=headers, method=method, scheme="https", host_url="https://a.example.com/", ) request._process_csrf = True with pytest.raises(csrf.InvalidCSRF) as exc: csrf._check_csrf(request) origin = request.headers.get("Origin", request.headers.get("Referer")) assert exc.value.args[0] == csrf.REASON_BAD_ORIGIN.format( origin, request.host_url, )
def test_safe_method(self, method): request = pretend.stub(method=method) csrf._check_csrf(request)