def test_403_csrf_exception(self):
self.c = self.client_class(enforce_csrf_checks=True)
for accept_type in self.ACCEPT_TYPES:
resp = self.post(self.ISSUE_API_URL, {}, headers={'HTTP_ACCEPT': accept_type,
'CONTENT_TYPE': 'application/json'})
assert_in(accept_type, resp['Content-Type'])
assert_http_forbidden(resp)
def test_response_sensitive_data_body_in_json_should_be_hidden(self):
responses.add(responses.POST, 'http://test.cz', body='test')
requests.post('http://test.cz', data=json.dumps({'password': '******'}))
output_logged_requst = OutputLoggedRequest.objects.get()
assert_in('"password": "******"', output_logged_requst.request_body)
assert_not_in('"password": "******"', output_logged_requst.request_body)
assert_in('"password": "******"', responses.calls[0].request.body)
assert_not_in('"password": "******"', responses.calls[0].request.body)
def test_enum_with_distinct_key_and_value_should_contain_only_defined_values(self):
enum = Enum(
('A', 'c'), ('B', 'd')
)
assert_equal(enum.A, 'c')
assert_equal(enum.B, 'd')
assert_equal(list(enum), ['c', 'd'])
assert_equal(enum.all, ('c', 'd'))
assert_equal(enum.get_name('c'), 'A')
with assert_raises(AttributeError):
enum.C # pylint: disable=W0104
assert_is_none(enum.get_name('f'))
assert_in('c', enum)
assert_in(enum.A, enum)
assert_not_in('A', enum)
def test_enum_should_contain_only_defined_values(self):
enum = Enum(
'A', 'B'
)
assert_equal(enum.A, 'A')
assert_equal(enum.B, 'B')
assert_equal(list(enum), ['A', 'B'])
assert_equal(enum.all, ('A', 'B'))
assert_equal(enum.get_name('A'), 'A')
with assert_raises(AttributeError):
enum.C # pylint: disable=W0104
assert_is_none(enum.get_name('C'))
assert_in('A', enum)
assert_in(enum.A, enum)
assert_not_in('C', enum)
def test_auto_gemerated_num_enum_should_contain_only_defined_values(self):
enum = NumEnum(
'A', 'B'
)
assert_equal(enum.A, 1)
assert_equal(enum.B, 2)
assert_equal(list(enum), [1, 2])
assert_equal(enum.all, (1, 2))
assert_equal(enum.get_name(1), 'A')
with assert_raises(AttributeError):
enum.C # pylint: disable=W0104
assert_is_none(enum.get_name(3))
assert_in(1, enum)
assert_in(enum.A, enum)
assert_not_in('A', enum)
def test_token_should_be_updated_during_its_access(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
token = resp.json()['token']
resp = self.get(
self.INDEX_URL,
headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)})
assert_in('X-Authorization-Expiration', resp)
assert_true(resp['X-Authorization-Expiration'].startswith('0:59'))
with freeze_time(timezone.now() + timedelta(minutes=10), tick=True):
resp = self.get(
self.INDEX_URL,
headers={'HTTP_AUTHORIZATION': 'Bearer {}'.format(token)})
assert_in('X-Authorization-Expiration', resp)
assert_true(resp['X-Authorization-Expiration'].startswith('0:59'))
def test_user_should_be_authorized_with_changed_header_name(self, user):
resp = self.post(self.API_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_ok(
self.get(self.INDEX_URL,
headers={
'HTTP_X_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_http_redirect(
self.get(self.INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
def test_user_should_be_authorized_from_token_and_uuid(self, user):
device_token = DeviceKey.objects.get_or_create_token(uuid=UUID,
user=user)[0]
resp = self.post(self.API_MOBILE_LOGIN_URL, {
'uuid': UUID,
'login_device_token': device_token
})
assert_http_ok(resp)
assert_in('token', resp.json())
assert_http_ok(
self.get(INDEX_URL,
headers={
'HTTP_AUTHORIZATION':
'Bearer {}'.format(resp.json()['token'])
}))
assert_not_in('Authorization', self.c.cookies)
assert_true(Token.objects.last().allowed_header)
assert_false(Token.objects.last().allowed_cookie)
def test_user_should_not_be_logged_in_two_factor_for_invalid_code(
self, user):
login_resp = self.post(self.UI_TWO_FACTOR_LOGIN_URL, {
'username': '******',
'password': '******'
})
assert_http_redirect(login_resp)
# the code value needs to be overwritten, so that its value could be used for next request
login_resp.wsgi_request.token.two_factor_code = make_password(
'12345', salt=Token.TWO_FACTOR_CODE_SALT)
login_resp.wsgi_request.token.save()
code_check_resp = self.post(self.UI_CODE_CHECK_LOGIN_URL,
{'code': 'other_code'})
assert_http_ok(code_check_resp)
assert_in(
_('The inserted value does not correspond to the sent code.'),
code_check_resp._container[0].decode('utf8'))
assert_false(code_check_resp.wsgi_request.token.is_authenticated)
def test_401_exception(self):
for accept_type in self.ACCEPT_TYPES:
resp = self.get(self.ISSUE_API_URL, headers={'HTTP_ACCEPT': accept_type})
assert_in(accept_type, resp['Content-Type'])
assert_http_unauthorized(resp)
def test_404_exception(self):
for accept_type in self.ACCEPT_TYPES:
resp = self.get('%s%s/' % (self.ISSUE_API_URL, 5), headers={'HTTP_ACCEPT': accept_type})
assert_in(accept_type, resp['Content-Type'])
assert_http_not_found(resp)
def test_403_exception(self):
self.get_user_obj()
for accept_type in self.ACCEPT_TYPES:
resp = self.post(self.USER_API_URL, headers={'HTTP_ACCEPT': accept_type}, data={})
assert_in(accept_type, resp['Content-Type'])
assert_http_forbidden(resp)
def test_401_exception(self):
for accept_type in self.ACCEPT_TYPES:
resp = self.get(self.ISSUE_API_URL, headers={'HTTP_ACCEPT': accept_type})
assert_in(accept_type, resp['Content-Type'])
assert_http_unauthorized(resp)
def test_superuser_should_read_is_superuser_field(self):
user = self.logged_user.user
resp = self.get('%s%s/' % (self.USER_UI_URL, user.pk))
assert_in(b'is_superuser', resp.content)
def test_sensitive_data_body_in_json_should_be_hidden(self):
self.c.post('/admin/login/', data=json.dumps({'username': '******', 'password': '******'}),
content_type='application/json')
input_logged_request = InputLoggedRequest.objects.get()
assert_in('"password": "******"', input_logged_request.request_body)
assert_not_in('"password": "******"', input_logged_request.request_body)
def test_404_exception(self):
for accept_type in self.ACCEPT_TYPES:
resp = self.get('%s%s/' % (self.ISSUE_API_URL, 5), headers={'HTTP_ACCEPT': accept_type})
assert_in(accept_type, resp['Content-Type'])
assert_http_not_found(resp)
def test_superuser_may_read_users_grid(self):
resp = self.get(self.ISSUE_UI_URL)
assert_in(b'data-col="watched_by_string"', resp.content)
def test_every_output_request_has_data_for_stdout_logging(self, func):
requests.get('http://test.cz')
assert_true(func.called)
func_args = func.call_args.args[0] if sys.version_info >= (
3, 8) else func.call_args_list[0][0][0] # data
assert_in('request_timestamp', func_args)
assert_in('response_timestamp', func_args)
assert_in('response_time', func_args)
assert_in('response_code', func_args)
assert_in('host', func_args)
assert_in('path', func_args)
assert_in('method', func_args)
assert_in('slug', func_args)
def test_sensitive_data_body_in_raw_form_should_be_hidden(self):
self.post('/admin/login/', data={'username': '******', 'password': '******'})
input_logged_request = InputLoggedRequest.objects.get()
assert_in('[Filtered]', input_logged_request.request_body)
def test_403_exception(self):
user = self.get_user_obj()
for accept_type in self.ACCEPT_TYPES:
resp = self.get('%s%s/' % (self.USER_API_URL, user.pk), headers={'HTTP_ACCEPT': accept_type})
assert_in(accept_type, resp['Content-Type'])
assert_http_forbidden(resp)
def test_sensitive_data_body_in_raw_form_should_be_hidden(self):
with capture_security_logs() as logged_data:
self.post('/admin/login/', data={'username': '******', 'password': '******'})
assert_in('[Filtered]', logged_data.input_request[0].request_body)
