class DirectoryTopicFilterTest(TestCase):
def setUp(self):
self.directory = DirectoryPageFactory()
# set up topics
pf = TopicFactory(title='Press Freedom')
irs = TopicFactory(title='IRS')
pf.save()
irs.save()
# set up instances that are children of the directory and have those topics
self.pf_instance = DirectoryEntryFactory(parent=self.directory)
self.pf_instance.topics.add(pf)
self.pf_instance.save()
self.irs_instance = DirectoryEntryFactory(parent=self.directory)
self.irs_instance.topics.add(irs)
self.irs_instance.save()
self.topic_filter = {'topics': pf}
def test_topic_filtered_for_is_in_queryset(self):
filtered_instances = self.directory.get_instances(
filters=self.topic_filter)
self.assertIn(self.pf_instance, filtered_instances)
def test_topic_not_filtered_for_is_not_in_queryset(self):
filtered_instances = self.directory.get_instances(
filters=self.topic_filter)
self.assertNotIn(self.irs_instance, filtered_instances)
def handle(self, *args, **options):
number_of_instances = options['number_of_instances']
home_page = HomePage.objects.get(slug='home')
directory = DirectoryPage.objects.first()
if not directory:
directory = DirectoryPageFactory(parent=home_page, title="Directory")
directory.save()
for i in range(number_of_instances):
instance = DirectoryEntryFactory(parent=directory)
if i % 3 == 0:
scan = ScanResultFactory(
securedrop=instance,
landing_page_url=instance.landing_page_url,
no_failures=True,
)
elif i % 3 == 1:
scan = ScanResultFactory(
securedrop=instance,
landing_page_url=instance.landing_page_url,
severe_warning=True,
)
else:
scan = ScanResultFactory(
securedrop=instance,
landing_page_url=instance.landing_page_url,
moderate_warning=True,
)
scan.save()
instance.save()
class DirectoryCountryFilterTest(TestCase):
def setUp(self):
self.directory = DirectoryPageFactory()
# set up countries
mexico = CountryFactory(title='Mexico')
azerbaijan = CountryFactory(title='Azerbaijan')
mexico.save()
azerbaijan.save()
# set up instances that are children of the directory and have those countries
self.mexico_instance = DirectoryEntryFactory(parent=self.directory)
self.mexico_instance.countries.add(mexico)
self.mexico_instance.save()
self.azerbaijan_instance = DirectoryEntryFactory(parent=self.directory)
self.azerbaijan_instance.countries.add(azerbaijan)
self.azerbaijan_instance.save()
self.country_filter = {'countries': mexico}
def test_country_filtered_for_is_in_queryset(self):
filtered_instances = self.directory.get_instances(
filters=self.country_filter)
self.assertIn(self.mexico_instance, filtered_instances)
def test_country_not_filtered_for_is_not_in_queryset(self):
filtered_instances = self.directory.get_instances(
filters=self.country_filter)
self.assertNotIn(self.azerbaijan_instance, filtered_instances)
def setUp(self):
self.directory = DirectoryPageFactory()
self.best_instance = DirectoryEntryFactory(title="Best Instansce",
parent=self.directory)
self.worst_instance = DirectoryEntryFactory(title="Worst Instance",
parent=self.directory)
self.search_filter = {'title__icontains': 'best'}
class DirectoryLanguageFilterTest(TestCase):
def setUp(self):
self.directory = DirectoryPageFactory()
# set up languages
spanish = LanguageFactory(title='Spanish')
chinese = LanguageFactory(title='Chinese')
spanish.save()
chinese.save()
# set up instances that are children of the directory and have those languages
self.spanish_instance = DirectoryEntryFactory(parent=self.directory)
self.spanish_instance.languages.add(spanish)
self.spanish_instance.save()
self.chinese_instance = DirectoryEntryFactory(parent=self.directory)
self.chinese_instance.languages.add(chinese)
self.chinese_instance.save()
self.lang_filter = {'languages': spanish}
def test_language_filtered_for_is_in_queryset(self):
filtered_instances = self.directory.get_instances(
filters=self.lang_filter)
self.assertIn(self.spanish_instance, filtered_instances)
def test_langauge_not_filtered_for_is_not_in_queryset(self):
filtered_instances = self.directory.get_instances(
filters=self.lang_filter)
self.assertNotIn(self.chinese_instance, filtered_instances)
def test_bulk_scan_not_live(self):
"""
When scanner.bulk_scan is called, it should save all new results to the
database, even if one of the instances cannot be reached by HTTP. It
should save a result to the database for the instance that cannot be
reached by HTTP with live False
In addition to vcrpy, this test mocks requests.get to simulate a
ConnectionError for a URL that does not exist without actually sending
an HTTP request to that URL
"""
sd1 = DirectoryEntryFactory.create(
title='SecureDrop',
landing_page_url='https://securedrop.org',
onion_address='notreal.onion')
sd2 = DirectoryEntryFactory.create(
title='Freedom of the Press Foundation',
landing_page_url=NON_EXISTENT_URL,
onion_address='notreal-2.onion')
sd3 = DirectoryEntryFactory.create(
title='Freedom of the Press Foundation',
landing_page_url='https://freedom.press',
onion_address='notreal-3.onion')
securedrop_pages_qs = DirectoryEntry.objects.all()
scanner.bulk_scan(securedrop_pages_qs)
self.assertTrue(
DirectoryEntry.objects.get(pk=sd1.pk).results.all()[0].live)
self.assertFalse(
DirectoryEntry.objects.get(pk=sd2.pk).results.all()[0].live)
self.assertTrue(
DirectoryEntry.objects.get(pk=sd3.pk).results.all()[0].live)
def test_securedrop_can_save_expected_urls(self):
securedrop = DirectoryEntryFactory(
landing_page_url='https://www.something.org',
onion_address='https://notreal.onion',
)
securedrop.save()
self.assertIn(securedrop, DirectoryEntry.objects.all())
class DirectoryEntryAuthTest(TestCase):
def setUp(self):
User = get_user_model()
self.client = Client()
self.username = "******"
self.email = "*****@*****.**"
self.password = "******"
self.user = User.objects.create_user(username=self.username, email=self.email, password=self.password, is_active=True)
self.user.save()
# Create a verified email address object for this user via allauth
EmailAddress.objects.create(user=self.user, email=self.email, verified=True)
# Setup pages. Site is needed for valid urls.
site = Site.objects.get()
directory = DirectoryPageFactory(parent=site.root_page)
self.unowned_sd_page = DirectoryEntryFactory(live=True, parent=directory)
self.unowned_sd_page.save()
self.user_owned_sd_page = DirectoryEntryFactory(live=True, parent=directory)
self.user_owned_sd_page.save()
SecuredropOwner(owner=self.user, page=self.user_owned_sd_page).save()
def test_logged_in_user_should_see_edit_on_owned_pages(self):
# Login
self.client.post(reverse_lazy('account_login'), {'login': self.email, 'password': self.password})
response = self.client.get(self.user_owned_sd_page.url)
self.assertTrue(response.context['page'].editable)
def test_logged_out_user_should_not_see_edit(self):
response = self.client.get(self.user_owned_sd_page.url)
self.assertFalse(response.context['page'].editable)
def test_logged_in_user_should_not_see_edit_on_unowned_pages(self):
self.client.post(reverse_lazy('account_login'), {'login': self.email, 'password': self.password})
response = self.client.get(self.unowned_sd_page.url)
self.assertFalse(response.context['page'].editable)
def test_cache_purged_for_directory_entry(self, purge_mock):
"Homepage cache should be purged when a new directory entry is added"
DirectoryEntryFactory.create()
# DirectoryEntry saving logic causes it to be saved twice, triggering
# the purge twice (this is not necessarily desireable, but it is
# mostly harmless)
purge_mock.assert_has_calls(
[call(self.home_page), call(self.home_page)])
def test_duplicate_landing_pages_are_invalid(self):
landing_page_url = 'https://www.freedom.press'
DirectoryEntryFactory(
landing_page_url=landing_page_url,
)
with self.assertRaises(ValidationError):
DirectoryEntryFactory(
landing_page_url=landing_page_url,
)
def test_returns_latest_live_result(self):
sd = DirectoryEntryFactory()
ScanResultFactory(live=False, securedrop=sd, landing_page_url=sd.landing_page_url).save()
ScanResultFactory(live=False, securedrop=sd, landing_page_url=sd.landing_page_url).save()
r3 = ScanResultFactory(live=True, securedrop=sd, landing_page_url=sd.landing_page_url)
r3.save()
sd = DirectoryEntry.objects.get(pk=sd.pk)
self.assertEqual(r3, sd.get_live_result())
def test_domain_annotation(self):
DirectoryEntryFactory.create(
landing_page_url="https://securedrop.org/subpath"
)
securedrop_page_qs = DirectoryEntry.objects.with_domain_annotation()
self.assertEqual(
securedrop_page_qs.values_list('domain', flat=True)[0],
'securedrop.org'
)
def setUp(self):
self.title = 'Awesome'
self.landing_page_url = 'https://landing.com'
self.onion_address = 'something.onion'
self.description = 'Amaze'
self.sd = DirectoryEntryFactory(
title=self.title,
landing_page_url=self.landing_page_url,
onion_address=self.onion_address,
organization_description=self.description
)
self.search_content = self.sd.get_search_content()
def setUp(self):
site = Site.objects.get()
self.entry = DirectoryEntryFactory(parent=DirectoryPageFactory(
parent=site.root_page))
self.result = ScanResultFactory(
securedrop=self.entry,
landing_page_url=self.entry.landing_page_url,
moderate_warning=True,
)
self.result.save()
self.entry.save()
self.client = Client()
def setUp(self):
self.directory = DirectoryPageFactory()
# set up countries
mexico = CountryFactory(title='Mexico')
azerbaijan = CountryFactory(title='Azerbaijan')
mexico.save()
azerbaijan.save()
# set up instances that are children of the directory and have those countries
self.mexico_instance = DirectoryEntryFactory(parent=self.directory)
self.mexico_instance.countries.add(mexico)
self.mexico_instance.save()
self.azerbaijan_instance = DirectoryEntryFactory(parent=self.directory)
self.azerbaijan_instance.countries.add(azerbaijan)
self.azerbaijan_instance.save()
self.country_filter = {'countries': mexico}
def setUp(self):
self.directory = DirectoryPageFactory()
# set up topics
pf = TopicFactory(title='Press Freedom')
irs = TopicFactory(title='IRS')
pf.save()
irs.save()
# set up instances that are children of the directory and have those topics
self.pf_instance = DirectoryEntryFactory(parent=self.directory)
self.pf_instance.topics.add(pf)
self.pf_instance.save()
self.irs_instance = DirectoryEntryFactory(parent=self.directory)
self.irs_instance.topics.add(irs)
self.irs_instance.save()
self.topic_filter = {'topics': pf}
def setUp(self):
self.directory = DirectoryPageFactory()
# set up languages
spanish = LanguageFactory(title='Spanish')
chinese = LanguageFactory(title='Chinese')
spanish.save()
chinese.save()
# set up instances that are children of the directory and have those languages
self.spanish_instance = DirectoryEntryFactory(parent=self.directory)
self.spanish_instance.languages.add(spanish)
self.spanish_instance.save()
self.chinese_instance = DirectoryEntryFactory(parent=self.directory)
self.chinese_instance.languages.add(chinese)
self.chinese_instance.save()
self.lang_filter = {'languages': spanish}
def test_bulk_scan(self):
"""
When scanner.bulk_scan is called, it should save all new results to the
database, associated with the correct DirectoryEntrys
"""
DirectoryEntryFactory.create(title='SecureDrop',
landing_page_url='https://securedrop.org',
onion_address='notreal.onion')
DirectoryEntryFactory.create(title='Freedom of the Press Foundation',
landing_page_url='https://freedom.press',
onion_address='notreal-2.onion')
securedrop_pages_qs = DirectoryEntry.objects.all()
scanner.bulk_scan(securedrop_pages_qs)
for page in DirectoryEntry.objects.all():
self.assertEqual(1, page.results.count())
def test_forces_https_should_not_be_none(self):
domain = 'https://sourceanonyme.radio-canada.ca'
entry = DirectoryEntryFactory.create(title='Source Anonyme',
landing_page_url=domain,
onion_address='notreal.onion')
r = scanner.scan(entry, commit=True)
self.assertIsNotNone(r.forces_https)
def setUp(self):
User = get_user_model()
self.client = Client()
self.username = "******"
self.email = "*****@*****.**"
self.password = "******"
self.user = User.objects.create_user(username=self.username, email=self.email, password=self.password, is_active=True)
self.site = Site.objects.get()
self.directory = DirectoryPageFactory(
parent=self.site.root_page,
)
self.unowned_sd_page = DirectoryEntryFactory()
self.unowned_sd_page.save()
self.user_owned_sd_page = DirectoryEntryFactory()
self.user_owned_sd_page.save()
SecuredropOwner(owner=self.user, page=self.user_owned_sd_page).save()
# Create a verified email address object for this user via allauth
EmailAddress.objects.create(user=self.user, email=self.email, verified=True)
# Create a device with pre-determined parameters to allow 2FA
# token verification. Numbers copied from django_otp unit
# tests.
device = TOTPDevice.objects.create(
user=self.user,
confirmed=True,
key='2a2bbba1092ffdd25a328ad1a0a5f5d61d7aacc4',
step=30,
t0=int(time() - (30 * 3)),
digits=6,
tolerance=0,
drift=0,
)
self.client.post(
reverse('account_login'),
{'login': self.email, 'password': self.password},
)
self.client.post(
reverse('two-factor-authenticate'),
# The token below corresponds to the parameters on the
# device just created.
{'otp_device': device.id, 'otp_token': '154567'},
)
def setUp(self):
User = get_user_model()
self.client = Client()
self.username = "******"
self.email = "*****@*****.**"
self.password = "******"
self.user = User.objects.create_user(username=self.username, email=self.email, password=self.password, is_active=True)
self.user.save()
# Create a verified email address object for this user via allauth
EmailAddress.objects.create(user=self.user, email=self.email, verified=True)
# Setup pages. Site is needed for valid urls.
site = Site.objects.get()
directory = DirectoryPageFactory(parent=site.root_page)
self.unowned_sd_page = DirectoryEntryFactory(live=True, parent=directory)
self.unowned_sd_page.save()
self.user_owned_sd_page = DirectoryEntryFactory(live=True, parent=directory)
self.user_owned_sd_page.save()
SecuredropOwner(owner=self.user, page=self.user_owned_sd_page).save()
def test_redirect_target_saved(self):
entry = DirectoryEntryFactory.create(
title='SecureDrop',
landing_page_url='https://httpbin.org/redirect/3',
onion_address='notreal.onion',
)
result = scanner.scan(entry)
self.assertEqual(result.redirect_target, 'https://httpbin.org/get')
def test_redirect_target_not_saved_if_not_redirect(self):
entry = DirectoryEntryFactory.create(
title='SecureDrop',
landing_page_url='https://securedrop.org',
onion_address='notreal.onion',
)
result = scanner.scan(entry)
self.assertIsNone(result.redirect_target)
def setUp(self):
User = get_user_model()
self.client = Client()
self.username = "******"
self.email = "*****@*****.**"
self.password = "******"
self.user = User.objects.create_user(username=self.username, email=self.email, password=self.password, is_active=True)
self.user.save()
# Create a verified email address object for this user via allauth
EmailAddress.objects.create(user=self.user, email=self.email, verified=True)
self.unowned_sd_page = DirectoryEntryFactory()
self.unowned_sd_page.save()
self.user_owned_sd_page = DirectoryEntryFactory()
self.user_owned_sd_page.save()
SecuredropOwner(owner=self.user, page=self.user_owned_sd_page).save()
# Login
self.client.post(reverse('account_login'), {'login': self.email, 'password': self.password})
def test_redirect_from_subdomain(self):
entry = DirectoryEntryFactory.create(
title='SecureDrop',
landing_page_url='http://health.nytimes.com',
onion_address='notreal.onion',
)
r = scanner.scan(entry)
self.assertTrue(r.subdomain)
self.assertTrue(r.no_cross_domain_redirects)
class DirectoryNoWarningTest(TestCase):
def setUp(self):
site = Site.objects.get()
self.entry = DirectoryEntryFactory(parent=DirectoryPageFactory(
parent=site.root_page))
self.result = ScanResultFactory(
securedrop=self.entry,
landing_page_url=self.entry.landing_page_url,
no_failures=True,
)
self.result.save()
self.entry.save()
self.client = Client()
def test_page_request_should_succeed_if_no_warnings_on_result(self):
response = self.client.get(self.entry.url)
self.assertEqual(response.status_code, 200)
def test_scan_with_permitted_domain(self):
securedrop = DirectoryEntryFactory.create(
title='Freedom of the Press Foundation',
landing_page_url='https://www.nytimes.com/tips',
onion_address='notreal.onion',
permitted_domains_for_assets=['nyt.com'],
)
result = scanner.scan(securedrop)
self.assertEqual(result.no_cross_domain_assets, True)
def test_save_associates_results(self):
landing_page_url = 'https://www.something.org'
result = ScanResult(
live=True,
hsts=True,
hsts_max_age=True,
securedrop=None,
landing_page_url=landing_page_url,
)
result.save()
securedrop = DirectoryEntryFactory(
landing_page_url=landing_page_url,
onion_address='https://notreal.onion',
)
securedrop.save()
result.refresh_from_db()
self.assertEqual(result.securedrop, securedrop)
def test_scan_with_permitted_domains_with_subdomain(self):
securedrop = DirectoryEntryFactory.create(
title='Freedom of the Press Foundation',
landing_page_url='https://securedrop.org',
onion_address='notreal.onion',
permitted_domains_for_assets=['analytics.freedom.press'],
)
result = scanner.scan(securedrop)
self.assertEqual(result.no_cross_domain_assets, True)
def test_cross_domain_redirect_detected_and_saved(self):
entry = DirectoryEntryFactory.create(
title='SecureDrop',
landing_page_url=
'https://httpbin.org/redirect-to?url=http%3A%2F%2Fwww.google.com&status_code=302',
onion_address='notreal.onion',
)
r = scanner.scan(entry)
self.assertFalse(r.no_cross_domain_redirects)