Add tests for get_user_from_api_query_string() (fixes #5536)
This commit is contained in:
parent
3074204f09
commit
a9ac6fec89
|
@ -0,0 +1,168 @@
|
|||
import urlparse
|
||||
import tempfile
|
||||
import shutil
|
||||
import json
|
||||
import os
|
||||
import hmac
|
||||
import base64
|
||||
import hashlib
|
||||
import urllib
|
||||
import datetime
|
||||
|
||||
from quixote import cleanup, get_publisher
|
||||
from wcs import publisher
|
||||
from qommon import sessions
|
||||
from wcs.qommon.http_request import HTTPRequest
|
||||
from wcs.users import User
|
||||
from wcs.categories import Category
|
||||
|
||||
pub, req, app_dir, user = None, None, None, None
|
||||
|
||||
def setup_module(module):
|
||||
cleanup()
|
||||
|
||||
global pub, req, app_dir, user
|
||||
APP_DIR = tempfile.mkdtemp()
|
||||
publisher.WcsPublisher.APP_DIR = APP_DIR
|
||||
pub = publisher.WcsPublisher.create_publisher()
|
||||
# allow saving the user
|
||||
pub.app_dir = os.path.join(APP_DIR, 'example.net')
|
||||
os.mkdir(pub.app_dir)
|
||||
user = User()
|
||||
user.name = 'Jean Darmette'
|
||||
user.email = 'jean.darmette@triffouilis.fr'
|
||||
user.store()
|
||||
|
||||
file(os.path.join(pub.app_dir, 'site-options.cfg'), 'w').write('''\
|
||||
[api-secrets]
|
||||
coucou = 1234
|
||||
''')
|
||||
|
||||
req = HTTPRequest(None, {'SCRIPT_NAME': '/', 'SERVER_NAME': 'example.net'})
|
||||
req._user = None
|
||||
req.language = 'en'
|
||||
pub._set_request(req)
|
||||
req.session = sessions.Session(id=1)
|
||||
category = Category()
|
||||
category.name = 'category'
|
||||
category.store()
|
||||
|
||||
|
||||
def visit_page(url, body=None):
|
||||
global req
|
||||
|
||||
parsed = urlparse.urlparse(url)
|
||||
environ = {}
|
||||
environ['SCRIPT_NAME'] = '/'
|
||||
environ['SERVER_NAME'] = 'example.net'
|
||||
environ['PATH_INFO'] = parsed.path
|
||||
if parsed.query:
|
||||
environ['QUERY_STRING'] = parsed.query
|
||||
req = HTTPRequest(body, environ)
|
||||
return get_publisher().process_request(req)
|
||||
|
||||
def teardown_module(module):
|
||||
global pub
|
||||
shutil.rmtree(pub.APP_DIR)
|
||||
|
||||
def test_user_page_redirect():
|
||||
output = visit_page('/user')
|
||||
assert output.headers.get('location') == 'http://example.net//myspace/'
|
||||
|
||||
def test_user_page_error_when_json_and_no_user():
|
||||
output = visit_page('/user?format=json')
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
assert content == '???'
|
||||
|
||||
def test_get_user_from_api_query_string_error_missing_orig():
|
||||
output = visit_page('/user?format=json&signature=xxx')
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'missing/multiple orig field'
|
||||
|
||||
def test_get_user_from_api_query_string_error_invalid_orig():
|
||||
output = visit_page('/user?format=json&orig=coin&signature=xxx')
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'invalid orig'
|
||||
|
||||
def test_get_user_from_api_query_string_error_missing_algo():
|
||||
output = visit_page('/user?format=json&orig=coucou&signature=xxx')
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'missing/multiple algo field'
|
||||
|
||||
def test_get_user_from_api_query_string_error_invalid_algo():
|
||||
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=coin')
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'invalid algo'
|
||||
|
||||
def test_get_user_from_api_query_string_error_invalid_signature():
|
||||
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=sha1')
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'invalid signature'
|
||||
|
||||
def test_get_user_from_api_query_string_error_missing_timestamp():
|
||||
signature = urllib.quote(
|
||||
base64.b64encode(
|
||||
hmac.new('1234',
|
||||
'format=json&orig=coucou&algo=sha1',
|
||||
hashlib.sha1).digest()))
|
||||
output = visit_page('/user?format=json&orig=coucou&algo=sha1&signature=%s' % signature)
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'missing/multiple timestamp field'
|
||||
|
||||
def test_get_user_from_api_query_string_error_missing_email():
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha1×tamp=' + timestamp
|
||||
signature = urllib.quote(
|
||||
base64.b64encode(
|
||||
hmac.new('1234',
|
||||
query,
|
||||
hashlib.sha1).digest()))
|
||||
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'missing email or NameID fields'
|
||||
|
||||
def test_get_user_from_api_query_string_error_success_sha1():
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha1&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
||||
signature = urllib.quote(
|
||||
base64.b64encode(
|
||||
hmac.new('1234',
|
||||
query,
|
||||
hashlib.sha1).digest()))
|
||||
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['user_display_name'] == u'Jean Darmette'
|
||||
|
||||
def test_get_user_from_api_query_string_error_invalid_signature_algo_mismatch():
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
||||
signature = urllib.quote(
|
||||
base64.b64encode(
|
||||
hmac.new('1234',
|
||||
query,
|
||||
hashlib.sha1).digest()))
|
||||
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['err_desc'] == 'invalid signature'
|
||||
|
||||
def test_get_user_from_api_query_string_error_success_sha256():
|
||||
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
||||
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
||||
signature = urllib.quote(
|
||||
base64.b64encode(
|
||||
hmac.new('1234',
|
||||
query,
|
||||
hashlib.sha256).digest()))
|
||||
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
||||
content = ''.join(output.generate_body_chunks())
|
||||
result = json.loads(content)
|
||||
assert result['user_display_name'] == u'Jean Darmette'
|
Loading…
Reference in New Issue