def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault("SERVER_NAME", "foo") environ.setdefault("SERVER_PORT", "80") environ.setdefault("REQUEST_METHOD", "POST") request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = {"topic": "test subject", "replyto": "*****@*****.**", "comments": "test comments"} self.ff1.checkAuthenticator = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView("context", "request").authenticator() token = tag.split('"')[5] request.form["_authenticator"] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # sneaky GET request environ["REQUEST_METHOD"] = "GET" request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form["_authenticator"] = "inauthentic" request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self): """ test CSRF check on data clear """ # create a saver and add a record self.ff1.invokeFactory('FormSaveDataAdapter', 'saver') saver = self.ff1.saver self.ff1.setActionAdapter( ('saver',) ) request = FakeRequest(topic = 'test subject', replyto='*****@*****.**', comments='test comments') errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual( errors, {} ) # for the rest of this test, we need a bit more serious request simulation environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) # clearSavedFormInput is part of the API, so it should work if there's no # request saver.clearSavedFormInput() # But, if this is from a form, we should need a valid authenticator request.form = {'clearSavedFormInput':'1',} self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput, **{'request':request}) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token saver.clearSavedFormInput(request=request)
def checkAuthenticator(self, path, query='', status=200): credentials = '%s:%s' % (ptc.default_user, ptc.default_password) path = '/' + self.portal.absolute_url(relative=True) + path data = StringIO(query) # without authenticator... response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), 403) # with authenticator... tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] data = StringIO(query + '&_authenticator=%s' % token) response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), status)
def checkAuthenticator(self, path, query='', status=200): credentials = '%s:%s' % (TEST_USER_NAME, TEST_USER_PASSWORD) path = '/' + self.portal.absolute_url(relative=True) + path data = StringIO(query) # without authenticator... response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), 403) # with authenticator... tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] data = StringIO(query + '&_authenticator=%s' % token) response = self.publish(path=path, basic=credentials, env={}, request_method='POST', stdin=data) self.assertEqual(response.getStatus(), status)
class AuthenticatorTests(KeyringTestCase): def setUp(self): KeyringTestCase.setUp(self) self.view = AuthenticatorView(None, None) def setUsername(self, name): user = getSecurityManager().getUser() user.name = name def setSecret(self, secret): self.manager['_forms'].data[0] = secret def testIsHtmlInput(self): auth = self.view.authenticator() self.failUnless(auth.startswith("<input")) self.failUnless(auth.endswith("/>")) def testDiffersPerUser(self): one = self.view.authenticator() self.setUsername("other") two = self.view.authenticator() self.assertNotEqual(one, two) def testDiffersPerSecret(self): one = self.view.authenticator() self.setSecret("other") two = self.view.authenticator() self.assertNotEqual(one, two) def testDiffersPerExtra(self): one = self.view.authenticator() two = self.view.authenticator('some-extra-value') self.assertNotEqual(one, two)
def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = { 'topic': 'test subject', 'replyto': '*****@*****.**', 'comments': 'test comments', } self.ff1.CSRFProtection = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # sneaky GET request environ['REQUEST_METHOD'] = 'GET' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form['_authenticator'] = 'inauthentic' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
def testCSRF(self): """ test csrf protection """ # for this test, we need a bit more serious request simulation from ZPublisher.HTTPRequest import HTTPRequest from ZPublisher.HTTPResponse import HTTPResponse environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) request.form = \ {'topic':'test subject', 'replyto':'*****@*****.**', 'comments':'test comments'} self.ff1.checkAuthenticator = True self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual( errors, {} ) # sneaky GET request environ['REQUEST_METHOD'] = 'GET' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request) # bad authenticator request.form['_authenticator'] = 'inauthentic' request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) self.assertRaises(zExceptions.Forbidden, self.ff1.fgvalidate, request)
class VerifyTests(KeyringTestCase): def setUp(self): self.request={} KeyringTestCase.setUp(self) self.view=AuthenticatorView(None, self.request) def setAuthenticator(self, key): user=getSecurityManager().getUser().getUserName() auth=hmac.new(key, user, sha).hexdigest() self.request["_authenticator"]=auth def testCorrectAuthenticator(self): self.manager.keys[0]=("secret") self.setAuthenticator("secret") self.assertEqual(self.view.verify(), True) def testOlderSecretVerifies(self): self.manager.keys[3]="backup" self.setAuthenticator("backup") self.assertEqual(self.view.verify(), True) def testMissingAuthenticator(self): self.assertEqual(self.view.verify(), False) def testIncorrectAuthenticator(self): self.request["_authenticator"]="incorrect" self.assertEqual(self.view.verify(), False) def testAuthenticatorWrongType(self): self.request["_authenticator"]=123 self.assertEqual(self.view.verify(), False)
def testCSRF(self): """ test CSRF check on data clear """ # create a saver and add a record self.ff1.invokeFactory('FormSaveDataAdapter', 'saver') saver = self.ff1.saver self.ff1.setActionAdapter(('saver', )) request = FakeRequest(topic='test subject', replyto='*****@*****.**', comments='test comments') errors = self.ff1.fgvalidate(REQUEST=request) self.assertEqual(errors, {}) # for the rest of this test, we need a bit more serious request simulation environ = {} environ.setdefault('SERVER_NAME', 'foo') environ.setdefault('SERVER_PORT', '80') environ.setdefault('REQUEST_METHOD', 'POST') request = HTTPRequest(sys.stdin, environ, HTTPResponse(stdout=sys.stdout)) # clearSavedFormInput is part of the API, so it should work if there's no # request saver.clearSavedFormInput() # But, if this is from a form, we should need a valid authenticator request.form = { 'clearSavedFormInput': '1', } self.assertRaises(zExceptions.Forbidden, saver.clearSavedFormInput, **{'request': request}) # with authenticator... no error tag = AuthenticatorView('context', 'request').authenticator() token = tag.split('"')[5] request.form['_authenticator'] = token saver.clearSavedFormInput(request=request)
class VerifyTests(KeyringTestCase): key_size = 2 def setUp(self): self.request = MockRequest() super(VerifyTests, self).setUp() self.view = AuthenticatorView(None, self.request) def setAuthenticator(self, key, extra='', name="_authenticator"): user = getSecurityManager().getUser().getUserName() if six.PY3: user = user.encode('utf-8') extra = extra.encode('utf-8') auth = hmac.new(key.encode('utf-8'), user + extra, sha).hexdigest() self.request[name] = auth def testCorrectAuthenticator(self): self.manager['_forms'].data[0] = "secret" self.setAuthenticator("secret") self.assertEqual(self.view.verify(), True) def testCustomAuthenticatorKeyName(self): self.manager['_forms'].data[0] = "secret" self.setAuthenticator("secret", name="_my_authenticator") self.assertEqual(self.view.verify(name="_my_authenticator"), True) def testOlderSecretVerifies(self): self.manager['_forms'].data[1] = "backup" self.setAuthenticator("backup") self.assertEqual(self.view.verify(), True) def testMissingAuthenticator(self): self.assertEqual(self.view.verify(), False) def testIncorrectAuthenticator(self): self.request["_authenticator"] = "incorrect" self.assertEqual(self.view.verify(), False) def testAuthenticatorWrongType(self): self.request["_authenticator"] = 123 self.assertEqual(self.view.verify(), False) def testExtraArgumentCanBeVerified(self): self.manager['_forms'].data[0] = "secret" self.setAuthenticator("secret", 'some-extra-value') self.assertEqual(self.view.verify('some-extra-value'), True)
class VerifyTests(KeyringTestCase): key_size = 2 def setUp(self): self.request = MockRequest() super(VerifyTests, self).setUp() self.view = AuthenticatorView(None, self.request) def setAuthenticator(self, key, extra='', name="_authenticator"): user = getSecurityManager().getUser().getUserName() auth = hmac.new(key, user + extra, sha).hexdigest() self.request[name] = auth def testCorrectAuthenticator(self): self.manager['_forms'].data[0] = "secret" self.setAuthenticator("secret") self.assertEqual(self.view.verify(), True) def testCustomAuthenticatorKeyName(self): self.manager['_forms'].data[0] = "secret" self.setAuthenticator("secret", name="_my_authenticator") self.assertEqual(self.view.verify(name="_my_authenticator"), True) def testOlderSecretVerifies(self): self.manager['_forms'].data[1] = "backup" self.setAuthenticator("backup") self.assertEqual(self.view.verify(), True) def testMissingAuthenticator(self): self.assertEqual(self.view.verify(), False) def testIncorrectAuthenticator(self): self.request["_authenticator"] = "incorrect" self.assertEqual(self.view.verify(), False) def testAuthenticatorWrongType(self): self.request["_authenticator"] = 123 self.assertEqual(self.view.verify(), False) def testExtraArgumentCanBeVerified(self): self.manager['_forms'].data[0] = "secret" self.setAuthenticator("secret", 'some-extra-value') self.assertEqual(self.view.verify('some-extra-value'), True)
class VerifyTests(KeyringTestCase): def setUp(self): self.request = MockRequest() KeyringTestCase.setUp(self) self.view = AuthenticatorView(None, self.request) def setAuthenticator(self, key, extra='', name="_authenticator"): user = getSecurityManager().getUser().getUserName() auth = hmac.new(key, user + extra, sha).hexdigest() self.request[name] = auth def testCorrectAuthenticator(self): self.manager.keys[0] = ("secret") self.setAuthenticator("secret") self.assertEqual(self.view.verify(), True) def testCustomAuthenticatorKeyName(self): self.manager.keys[0] = ("secret") self.setAuthenticator("secret", name="_my_authenticator") self.assertEqual(self.view.verify(name="_my_authenticator"), True) def testOlderSecretVerifies(self): self.manager.keys[3] = "backup" self.setAuthenticator("backup") self.assertEqual(self.view.verify(), True) def testMissingAuthenticator(self): self.assertEqual(self.view.verify(), False) def testIncorrectAuthenticator(self): self.request["_authenticator"] = "incorrect" self.assertEqual(self.view.verify(), False) def testAuthenticatorWrongType(self): self.request["_authenticator"] = 123 self.assertEqual(self.view.verify(), False) def testExtraArgumentCanBeVerified(self): self.manager.keys[0] = ("secret") self.setAuthenticator("secret", 'some-extra-value') self.assertEqual(self.view.verify('some-extra-value'), True)
def read(context, request): tag = AuthenticatorView(context, request).authenticator() pattern = '<input .*name="(\w+)".*value="(\w+)"' _authenticator = re.match(pattern, tag).groups()[1] ret = { "url": router.url_for("read", force_external=True), "success": True, "error": False, "objects": [], "_authenticator": _authenticator, } debug_mode = App.config.getConfiguration().debug_mode catalog_name = request.get("catalog_name", "portal_catalog") if not catalog_name: raise ValueError("bad or missing catalog_name: " + catalog_name) catalog = getToolByName(context, catalog_name) indexes = catalog.indexes() contentFilter = {} for index in indexes: if index in request: if index == 'review_state' and "{" in request[index]: continue contentFilter[index] = safe_unicode(request[index]) if "%s[]"%index in request: value = request["%s[]"%index] if type(value) in (list, tuple): contentFilter[index] = [safe_unicode(v) for v in value] else: contentFilter[index] = value if 'limit' in request: try: contentFilter['sort_limit'] = int(request["limit"]) except ValueError: pass sort_on = request.get('sort_on', 'id') contentFilter['sort_on'] = sort_on # sort order sort_order = request.get('sort_order', '') if sort_order: contentFilter['sort_order'] = sort_order else: sort_order = 'ascending' contentFilter['sort_order'] = 'ascending' include_fields = get_include_fields(request) if debug_mode: logger.info("contentFilter: " + str(contentFilter)) # Get matching objects from catalog proxies = catalog(**contentFilter) # batching items page_nr = int(request.get("page_nr", 0)) try: page_size = int(request.get("page_size", 10)) except ValueError: page_size = 10 # page_size == 0: show all if page_size == 0: page_size = len(proxies) first_item_nr = page_size * page_nr if first_item_nr > len(proxies): first_item_nr = 0 page_proxies = proxies[first_item_nr:first_item_nr + page_size] for proxy in page_proxies: obj_data = {} # Place all proxy attributes into the result. obj_data.update(load_brain_metadata(proxy, include_fields)) # Place all schema fields ino the result. obj = proxy.getObject() obj_data.update(load_field_values(obj, include_fields)) obj_data['path'] = "/".join(obj.getPhysicalPath()) # call any adapters that care to modify this data. adapters = getAdapters((obj, ), IJSONReadExtender) for name, adapter in adapters: adapter(request, obj_data) ret['objects'].append(obj_data) ret['total_objects'] = len(proxies) ret['first_object_nr'] = first_item_nr last_object_nr = first_item_nr + len(page_proxies) if last_object_nr > ret['total_objects']: last_object_nr = ret['total_objects'] ret['last_object_nr'] = last_object_nr if debug_mode: logger.info("{0} objects returned".format(len(ret['objects']))) return ret
def setUp(self): self.request={} KeyringTestCase.setUp(self) self.view=AuthenticatorView(None, self.request)
def setUp(self): self.request = MockRequest() super(VerifyTests, self).setUp() self.view = AuthenticatorView(None, self.request)
def setUp(self): KeyringTestCase.setUp(self) self.view = AuthenticatorView(None, None)
def test_CSRF_header(self): self.request.environ['HTTP_X_CSRF_TOKEN'] = createToken() view = AuthenticatorView(None, self.request) self.assertEqual(view.verify(), True)
def setUp(self): self.request = MockRequest() KeyringTestCase.setUp(self) self.view = AuthenticatorView(None, self.request)
def test_incorrect_CSRF_header(self): self.request.environ['HTTP_X_CSRF_TOKEN'] = 'foobar' view = AuthenticatorView(None, self.request) self.assertEqual(view.verify(), False)
def getAuthenticator(self): tag = AuthenticatorView('context', 'request').authenticator() pattern = r'<input .*name="(\w+)".*value="(\w+)"' return match(pattern, tag).groups()