def test_logs_rejections(self):
self.session['api_key'] = 'test-api-key'
self.session['csrf_token'] = 'test-csrf-token'
self.request.headers['X-XSRF-Token'] = 'definitely not the token'
self.request.headers['X-Requested-With'] = 'test-x-requested-with'
self.request.headers['Origin'] = 'http://test-origin.localdomain'
self.request.referrer = 'http://test-referrer.localdomain'
middleware.csrf_filter()
self.assertEqual([
'WARNING - Possible CSRF attempt:',
'---',
'',
'Path: /v0/test-path',
'',
'Origin: http://test-origin.localdomain',
'',
'Referrer: http://test-referrer.localdomain',
'',
'IP: 1.2.3.4',
'',
'X-Requested-With: test-x-requested-with',
'',
'X-CSRF-Token: definitely not the token',
'',
'---',
], self.logger.lines)
def test_blocks_when_api_key_is_present_and_malformed(self):
self.session['api_key'] = 'test-api-key'
self.request.authorization = {'username': '******'}
response = middleware.csrf_filter()
self.assertEqual(('Access Denied: CSRF check failed', 403), response)
def test_blocks_when_csrf_token_header_is_not_correct(self):
self.session['api_key'] = 'test-api-key'
self.session['csrf_token'] = 'test-csrf-token'
self.request.headers['X-XSRF-Token'] = 'definitely not the token'
response = middleware.csrf_filter()
self.assertEqual(('Access Denied: CSRF check failed', 403), response)
def test_blocks_when_csrf_token_header_is_absent(self):
self.session['api_key'] = 'test-api-key'
self.session['csrf_token'] = 'test-csrf-token'
self.request.headers.clear()
response = middleware.csrf_filter()
self.assertEqual(('Access Denied: CSRF check failed', 403), response)
def test_allows_when_csrf_token_header_is_correct(self):
self.session['api_key'] = 'test-api-key'
self.session['csrf_token'] = 'test-csrf-token'
self.request.headers['X-XSRF-Token'] = 'test-csrf-token'
response = middleware.csrf_filter()
self.assertIsNone(response)
def test_allows_when_api_key_is_present_and_well_formed(self):
self.session['api_key'] = 'test-api-key'
self.request.authorization = {
'username': '******'
}
response = middleware.csrf_filter()
self.assertIsNone(response)
def test_allows_when_method_is_rfc_2616_safe(self):
self.session['api_key'] = 'test-api-key'
for method in ('GET', 'OPTIONS', 'HEAD'):
self.request.reset_mock()
self.request.method = method
response = middleware.csrf_filter()
self.assertIsNone(response)
def test_blocks_when_method_is_not_rfc_2616_safe(self):
self.session['api_key'] = 'test-api-key'
self.session['csrf_token'] = 'test-csrf-token'
for method in ('POST', 'PUT', 'DELETE', 'PATCH', 'BISCUIT'):
self.request.reset_mock()
self.request.method = method
response = middleware.csrf_filter()
self.assertEqual(('Access Denied: CSRF check failed', 403),
response)
def test_blocks_when_session_is_open(self):
self.session['api_key'] = 'test-api-key'
response = middleware.csrf_filter()
self.assertEqual(('Access Denied: CSRF check failed', 403), response)
def test_allows_when_session_is_not_open(self):
self.session.clear()
response = middleware.csrf_filter()
self.assertIsNone(response)