requests_wrapper: sign URL of prepared requests (#35225)

combo/public/views.py

@@ -188,6 +188,18 @@ def should_check_badges():
     return check_badges
 
 
+def mark_duplicated_slugs(cells):
+    # mark duplicated slugs to avoid using them in HTML id attributes.
+    cell_by_slugs = {}
+    for cell in cells:
+        if cell.slug not in cell_by_slugs:
+            cell_by_slugs[cell.slug] = []
+        cell_by_slugs[cell.slug].append(cell)
+    for slug, slug_cells in cell_by_slugs.items():
+        for cell in slug_cells:
+            cell.use_slug_as_id = bool(len(slug_cells) == 1)
+
+
 def skeleton(request):
     # Skeleton rendering is used to dynamically produce base templates to use
     # in other applications, based on configured combo cells.
@@ -280,6 +292,17 @@ def skeleton(request):
     pages = selected_page.get_parents_and_self()
     combo_template = settings.COMBO_PUBLIC_TEMPLATES[selected_page.template_name]
     extend_with_parent_cells(cells, hierarchy=pages)
+    mark_duplicated_slugs(cells)
+
+    # mark duplicated slugs to avoid using them in HTML id attributes.
+    cell_by_slugs = {}
+    for cell in cells:
+        if cell.slug not in cell_by_slugs:
+            cell_by_slugs[cell.slug] = []
+        cell_by_slugs[cell.slug].append(cell)
+    for slug, slug_cells in cell_by_slugs.items():
+        for cell in slug_cells:
+            cell.use_slug_as_id = bool(len(slug_cells) == 1)
 
     ctx = {
         'page': selected_page,
@@ -460,16 +483,7 @@ def publish_page(request, page, status=200, template_name=None):
     cells = CellBase.get_cells(page=page)
     extend_with_parent_cells(cells, hierarchy=pages)
     cells = [x for x in cells if x.is_visible(user=request.user)]
-
-    # mark duplicated slugs to avoid using them in HTML id attributes.
-    cell_by_slugs = {}
-    for cell in cells:
-        if cell.slug not in cell_by_slugs:
-            cell_by_slugs[cell.slug] = []
-        cell_by_slugs[cell.slug].append(cell)
-    for slug, slug_cells in cell_by_slugs.items():
-        for cell in slug_cells:
-            cell.use_slug_as_id = bool(len(slug_cells) == 1)
+    mark_duplicated_slugs(cells)
 
     ctx = {
         'check_badges': should_check_badges(),

combo/utils/requests_wrapper.py

@@ -18,6 +18,7 @@ import hashlib
 import logging
 
 from requests import Response, Session as RequestsSession
+from requests.auth import AuthBase
 
 from django.conf import settings
 from django.core.cache import cache
@@ -32,6 +33,15 @@ class NothingInCacheException(Exception):
     pass
 
 
+class PublikSignature(AuthBase):
+    def __init__(self, secret):
+        self.secret = secret
+
+    def __call__(self, request):
+        request.url = sign_url(request.url, self.secret)
+        return request
+
+
 class Requests(RequestsSession):
 
     def request(self, method, url, **kwargs):
@@ -117,8 +127,8 @@ class Requests(RequestsSession):
             elif raise_if_not_cached:
                 raise NothingInCacheException()
 
-        if remote_service: # sign
-            url = sign_url(url, remote_service.get('secret'))
+        if remote_service:  # sign
+            kwargs['auth'] = PublikSignature(remote_service.get('secret'))
 
         kwargs['timeout'] = kwargs.get('timeout') or settings.REQUESTS_TIMEOUT
 

tests/test_lingo_remote_regie.py

@@ -83,8 +83,8 @@ class MockUser(object):
         return 'r2d2'
 
 
-@mock.patch('combo.utils.requests_wrapper.RequestsSession.request')
-def test_remote_regie_active_invoices_cell(mock_request, remote_regie):
+@mock.patch('combo.utils.requests_wrapper.RequestsSession.send')
+def test_remote_regie_active_invoices_cell(mock_send, remote_regie):
     assert remote_regie.is_remote() == True
 
     page = Page(title='xxx', slug='test_basket_cell', template_name='standard')
@@ -103,15 +103,15 @@ def test_remote_regie_active_invoices_cell(mock_request, remote_regie):
     ws_invoices = {'err': 0, 'data': INVOICES}
     mock_response = mock.Mock(status_code=200, content=json.dumps(ws_invoices))
     mock_response.json.return_value = ws_invoices
-    mock_request.return_value = mock_response
+    mock_send.return_value = mock_response
     content = cell.render(context)
     assert 'F-2016-One' in content
     assert '123.45' in content
 
     assert '?page=%s' % page.pk in content
     # check if regie webservice has been correctly called
-    assert mock_request.call_args[0][0] == 'GET'
-    url = mock_request.call_args[0][1]
+    assert mock_send.call_args[0][0].method == 'GET'
+    url = mock_send.call_args[0][0].url
     scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
     assert scheme == 'http'
     assert netloc == 'example.org'
@@ -125,12 +125,12 @@ def test_remote_regie_active_invoices_cell(mock_request, remote_regie):
     ws_invoices = {'err': 0, 'data': []}
     mock_response = mock.Mock(status_code=200, content=json.dumps(ws_invoices))
     mock_response.json.return_value = ws_invoices
-    mock_request.return_value = mock_response
+    mock_send.return_value = mock_response
     content = cell.render(context)
     assert 'No items yet' in content
 
-@mock.patch('combo.utils.requests_wrapper.RequestsSession.request')
-def test_remote_regie_past_invoices_cell(mock_request, remote_regie):
+@mock.patch('combo.utils.requests_wrapper.RequestsSession.send')
+def test_remote_regie_past_invoices_cell(mock_send, remote_regie):
     assert remote_regie.is_remote() == True
 
     page = Page(title='xxx', slug='test_basket_cell', template_name='standard')
@@ -149,14 +149,14 @@ def test_remote_regie_past_invoices_cell(mock_request, remote_regie):
     ws_invoices = {'err': 0, 'data': INVOICES}
     mock_response = mock.Mock(status_code=200, content=json.dumps(ws_invoices))
     mock_response.json.return_value = ws_invoices
-    mock_request.return_value = mock_response
+    mock_send.return_value = mock_response
     content = cell.render(context)
     assert 'F-2016-One' in content
     assert '123.45' in content
 
     # check if regie webservice has been correctly called
-    assert mock_request.call_args[0][0] == 'GET'
-    url = mock_request.call_args[0][1]
+    assert mock_send.call_args[0][0].method == 'GET'
+    url = mock_send.call_args[0][0].url
     scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
     assert scheme == 'http'
     assert netloc == 'example.org'
@@ -170,7 +170,7 @@ def test_remote_regie_past_invoices_cell(mock_request, remote_regie):
     ws_invoices = {'err': 0, 'data': []}
     mock_response = mock.Mock(status_code=200, content=json.dumps(ws_invoices))
     mock_response.json.return_value = ws_invoices
-    mock_request.return_value = mock_response
+    mock_send.return_value = mock_response
     content = cell.render(context)
     assert 'No items yet' in content
 

tests/test_newsletters_cell.py

@@ -10,6 +10,7 @@ from django.contrib.auth.models import User
 from combo.data.models import Page
 from combo.apps.newsletters.models import NewslettersCell, SubscriptionsSaveError
 from combo.apps.newsletters.forms import NewslettersManageForm
+from combo.utils import check_query
 
 pytestmark = pytest.mark.django_db
 
@@ -147,8 +148,8 @@ def test_get_subscriptions(mock_get, cell, user):
     assert cell.get_subscriptions(user) == expected_subscriptions
     assert mock_get.call_args[1]['user'].email == USER_EMAIL
 
-@mock.patch('combo.utils.requests_wrapper.RequestsSession.request')
-def test_get_subscriptions_signature_check(mock_get, cell, user):
+@mock.patch('combo.utils.requests_wrapper.RequestsSession.send')
+def test_get_subscriptions_signature_check(mock_send, cell, user):
     restrictions = ('mail', 'sms')
     cell.transports_restrictions = ','.join(restrictions)
     expected_subscriptions = []
@@ -160,11 +161,10 @@ def test_get_subscriptions_signature_check(mock_get, cell, user):
     mock_json = mock.Mock(status_code=200)
     mock_json.json.return_value = {'err': 0,
                                    'data': SUBSCRIPTIONS}
-    mock_get.return_value = mock_json
+    mock_send.return_value = mock_json
     cell.get_subscriptions(user)
-    assert 'orig=combo' in mock_get.call_args[0][1]
-    assert 'signature=' in mock_get.call_args[0][1]
-    assert 'nonce=' in mock_get.call_args[0][1]
+    url = mock_send.call_args[0][0].url
+    assert check_query(url.split('?', 1)[-1], 'combo')
 
 
 def mocked_requests_connection_error(*args, **kwargs):

tests/test_requests.py

@@ -23,15 +23,15 @@ class MockUser(object):
 
 
 def test_nosign():
-    with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
+    with mock.patch('combo.utils.requests_wrapper.RequestsSession.send') as send:
         requests.get('http://example.org/foo/bar/')
-        assert request.call_args[0][1] == 'http://example.org/foo/bar/'
+        assert send.call_args[0][0].url == 'http://example.org/foo/bar/'
 
 def test_sign():
     remote_service = {'url': 'http://example.org', 'secret': 'secret', 'orig': 'myself'}
-    with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
+    with mock.patch('combo.utils.requests_wrapper.RequestsSession.send') as send:
         requests.get('/foo/bar/', remote_service=remote_service)
-        url = request.call_args[0][1]
+        url = send.call_args[0][0].url
         assert url.startswith('http://example.org/foo/bar/?')
         scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
         query = urlparse.parse_qs(querystring, keep_blank_values=True)
@@ -41,7 +41,7 @@ def test_sign():
         assert check_query(querystring, 'secret') == True
 
         requests.get('/foo/bar/', remote_service=remote_service, without_user=True)
-        url = request.call_args[0][1]
+        url = send.call_args[0][0].url
         assert url.startswith('http://example.org/foo/bar/?')
         scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
         query = urlparse.parse_qs(querystring, keep_blank_values=True)
@@ -52,9 +52,9 @@ def test_sign():
 
 
 def test_auto_sign():
-    with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
+    with mock.patch('combo.utils.requests_wrapper.RequestsSession.send') as send:
         requests.get('http://example.org/foo/bar/', remote_service='auto')
-        url = request.call_args[0][1]
+        url = send.call_args[0][0].url
         assert url.startswith('http://example.org/foo/bar/?')
         scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
         query = urlparse.parse_qs(querystring, keep_blank_values=True)
@@ -62,17 +62,17 @@ def test_auto_sign():
         assert check_query(querystring, 'combo') == True
 
         requests.get('http://doesnotexist/foo/bar/', remote_service='auto')
-        assert request.call_args[0][1] == 'http://doesnotexist/foo/bar/'
+        assert send.call_args[0][0].url == 'http://doesnotexist/foo/bar/'
 
 
 def test_sign_user():
     remote_service = {'url': 'http://example.org', 'secret': 'secret', 'orig': 'myself'}
-    with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
+    with mock.patch('combo.utils.requests_wrapper.RequestsSession.send') as send:
 
         user = MockUser(samlized=True)
 
         requests.get('/foo/bar/', remote_service=remote_service, user=user)
-        url = request.call_args[0][1]
+        url = send.call_args[0][0].url
         assert url.startswith('http://example.org/foo/bar/?')
         scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
         query = urlparse.parse_qs(querystring, keep_blank_values=True)
@@ -83,7 +83,7 @@ def test_sign_user():
 
         requests.get('/foo/bar/', remote_service=remote_service, user=user,
                      federation_key='email')
-        url = request.call_args[0][1]
+        url = send.call_args[0][0].url
         assert url.startswith('http://example.org/foo/bar/?')
         scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
         query = urlparse.parse_qs(querystring, keep_blank_values=True)
@@ -96,7 +96,7 @@ def test_sign_user():
         user = MockUser(samlized=False)
 
         requests.get('/foo/bar/', remote_service=remote_service, user=user)
-        url = request.call_args[0][1]
+        url = send.call_args[0][0].url
         assert url.startswith('http://example.org/foo/bar/?')
         scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
         query = urlparse.parse_qs(querystring, keep_blank_values=True)
@@ -108,12 +108,12 @@ def test_sign_user():
 
 def test_sign_anonymous_user():
     remote_service = {'url': 'http://example.org', 'secret': 'secret', 'orig': 'myself'}
-    with mock.patch('combo.utils.requests_wrapper.RequestsSession.request') as request:
+    with mock.patch('combo.utils.requests_wrapper.RequestsSession.send') as send:
 
         user = AnonymousUser()
 
         requests.get('/foo/bar/', remote_service=remote_service, user=user)
-        url = request.call_args[0][1]
+        url = send.call_args[0][0].url
         assert url.startswith('http://example.org/foo/bar/?')
         scheme, netloc, path, params, querystring, fragment = urlparse.urlparse(url)
         query = urlparse.parse_qs(querystring, keep_blank_values=True)