entrouvert/wcs
entrouvert
/
wcs
14
1
Fork 0
Code Issues Pull Requests 38 Releases Activity

Add tests for get_user_from_api_query_string() (fixes #5536)

This commit is contained in:
Benjamin Dauvergne 2014-09-23 11:40:16 +02:00
parent 3074204f09
commit a9ac6fec89
1 changed files with 168 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
tests/test_api.py Normal file
View File

@ -0,0 +1,168 @@
import urlparse
import tempfile
import shutil
import json
import os
import hmac
import base64
import hashlib
import urllib
import datetime
from quixote import cleanup, get_publisher
from wcs import publisher
from qommon import sessions
from wcs.qommon.http_request import HTTPRequest
from wcs.users import User
from wcs.categories import Category
pub, req, app_dir, user = None, None, None, None
def setup_module(module):
cleanup()
global pub, req, app_dir, user
APP_DIR = tempfile.mkdtemp()
publisher.WcsPublisher.APP_DIR = APP_DIR
pub = publisher.WcsPublisher.create_publisher()
# allow saving the user
pub.app_dir = os.path.join(APP_DIR, 'example.net')
os.mkdir(pub.app_dir)
user = User()
user.name = 'Jean Darmette'
user.email = 'jean.darmette@triffouilis.fr'
user.store()
file(os.path.join(pub.app_dir, 'site-options.cfg'), 'w').write('''\
[api-secrets]
coucou = 1234
''')
req = HTTPRequest(None, {'SCRIPT_NAME': '/', 'SERVER_NAME': 'example.net'})
req._user = None
req.language = 'en'
pub._set_request(req)
req.session = sessions.Session(id=1)
category = Category()
category.name = 'category'
category.store()
def visit_page(url, body=None):
global req
parsed = urlparse.urlparse(url)
environ = {}
environ['SCRIPT_NAME'] = '/'
environ['SERVER_NAME'] = 'example.net'
environ['PATH_INFO'] = parsed.path
if parsed.query:
environ['QUERY_STRING'] = parsed.query
req = HTTPRequest(body, environ)
return get_publisher().process_request(req)
def teardown_module(module):
global pub
shutil.rmtree(pub.APP_DIR)
def test_user_page_redirect():
output = visit_page('/user')
assert output.headers.get('location') == 'http://example.net//myspace/'
def test_user_page_error_when_json_and_no_user():
output = visit_page('/user?format=json')
content = ''.join(output.generate_body_chunks())
assert content == '???'
def test_get_user_from_api_query_string_error_missing_orig():
output = visit_page('/user?format=json&signature=xxx')
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'missing/multiple orig field'
def test_get_user_from_api_query_string_error_invalid_orig():
output = visit_page('/user?format=json&orig=coin&signature=xxx')
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'invalid orig'
def test_get_user_from_api_query_string_error_missing_algo():
output = visit_page('/user?format=json&orig=coucou&signature=xxx')
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'missing/multiple algo field'
def test_get_user_from_api_query_string_error_invalid_algo():
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=coin')
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'invalid algo'
def test_get_user_from_api_query_string_error_invalid_signature():
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=sha1')
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'invalid signature'
def test_get_user_from_api_query_string_error_missing_timestamp():
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
'format=json&orig=coucou&algo=sha1',
hashlib.sha1).digest()))
output = visit_page('/user?format=json&orig=coucou&algo=sha1&signature=%s' % signature)
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'missing/multiple timestamp field'
def test_get_user_from_api_query_string_error_missing_email():
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
query = 'format=json&orig=coucou&algo=sha1&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hashlib.sha1).digest()))
output = visit_page('/user?%s&signature=%s' % (query, signature))
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'missing email or NameID fields'
def test_get_user_from_api_query_string_error_success_sha1():
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
query = 'format=json&orig=coucou&algo=sha1&email=' + urllib.quote(user.email) + '&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hashlib.sha1).digest()))
output = visit_page('/user?%s&signature=%s' % (query, signature))
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['user_display_name'] == u'Jean Darmette'
def test_get_user_from_api_query_string_error_invalid_signature_algo_mismatch():
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hashlib.sha1).digest()))
output = visit_page('/user?%s&signature=%s' % (query, signature))
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['err_desc'] == 'invalid signature'
def test_get_user_from_api_query_string_error_success_sha256():
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '&timestamp=' + timestamp
signature = urllib.quote(
base64.b64encode(
hmac.new('1234',
query,
hashlib.sha256).digest()))
output = visit_page('/user?%s&signature=%s' % (query, signature))
content = ''.join(output.generate_body_chunks())
result = json.loads(content)
assert result['user_display_name'] == u'Jean Darmette'