Refs #32800 -- Improved CsrfViewMiddlewareTestMixin._check_token_present().
This changes CsrfViewMiddlewareTestMixin._check_token_present() to give more detailed information if the check fails, and in particular why it failed. It also moves CsrfFunctionTests.assertMaskedSecretCorrect() to a separate CsrfFunctionTestMixin so the helper can be used in CsrfViewMiddlewareTestMixin.
This commit is contained in:
parent
f10553ec93
commit
7aba820aca
|
@ -5,10 +5,11 @@ from django.contrib.sessions.backends.cache import SessionStore
|
||||||
from django.core.exceptions import ImproperlyConfigured
|
from django.core.exceptions import ImproperlyConfigured
|
||||||
from django.http import HttpRequest, HttpResponse, UnreadablePostError
|
from django.http import HttpRequest, HttpResponse, UnreadablePostError
|
||||||
from django.middleware.csrf import (
|
from django.middleware.csrf import (
|
||||||
CSRF_ALLOWED_CHARS, CSRF_SESSION_KEY, CSRF_TOKEN_LENGTH, REASON_BAD_ORIGIN,
|
CSRF_ALLOWED_CHARS, CSRF_SECRET_LENGTH, CSRF_SESSION_KEY,
|
||||||
REASON_CSRF_TOKEN_MISSING, REASON_NO_CSRF_COOKIE, CsrfViewMiddleware,
|
CSRF_TOKEN_LENGTH, REASON_BAD_ORIGIN, REASON_CSRF_TOKEN_MISSING,
|
||||||
InvalidTokenFormat, RejectRequest, _does_token_match, _mask_cipher_secret,
|
REASON_NO_CSRF_COOKIE, CsrfViewMiddleware, InvalidTokenFormat,
|
||||||
_sanitize_token, _unmask_cipher_token, get_token, rotate_token,
|
RejectRequest, _does_token_match, _mask_cipher_secret, _sanitize_token,
|
||||||
|
_unmask_cipher_token, get_token, rotate_token,
|
||||||
)
|
)
|
||||||
from django.test import SimpleTestCase, override_settings
|
from django.test import SimpleTestCase, override_settings
|
||||||
from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
|
from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
|
||||||
|
@ -26,7 +27,22 @@ MASKED_TEST_SECRET1 = '1bcdefghij2bcdefghij3bcdefghij4bcdefghij5bcdefghij6bcdefg
|
||||||
MASKED_TEST_SECRET2 = '2JgchWvM1tpxT2lfz9aydoXW9yT1DN3NdLiejYxOOlzzV4nhBbYqmqZYbAV3V5Bf'
|
MASKED_TEST_SECRET2 = '2JgchWvM1tpxT2lfz9aydoXW9yT1DN3NdLiejYxOOlzzV4nhBbYqmqZYbAV3V5Bf'
|
||||||
|
|
||||||
|
|
||||||
class CsrfFunctionTests(SimpleTestCase):
|
class CsrfFunctionTestMixin:
|
||||||
|
|
||||||
|
# This method depends on _unmask_cipher_token() being correct.
|
||||||
|
def assertMaskedSecretCorrect(self, masked_secret, secret):
|
||||||
|
"""Test that a string is a valid masked version of a secret."""
|
||||||
|
self.assertEqual(len(masked_secret), CSRF_TOKEN_LENGTH)
|
||||||
|
self.assertEqual(len(secret), CSRF_SECRET_LENGTH)
|
||||||
|
self.assertTrue(
|
||||||
|
set(masked_secret).issubset(set(CSRF_ALLOWED_CHARS)),
|
||||||
|
msg=f'invalid characters in {masked_secret!r}',
|
||||||
|
)
|
||||||
|
actual = _unmask_cipher_token(masked_secret)
|
||||||
|
self.assertEqual(actual, secret)
|
||||||
|
|
||||||
|
|
||||||
|
class CsrfFunctionTests(CsrfFunctionTestMixin, SimpleTestCase):
|
||||||
|
|
||||||
def test_unmask_cipher_token(self):
|
def test_unmask_cipher_token(self):
|
||||||
cases = [
|
cases = [
|
||||||
|
@ -47,17 +63,6 @@ class CsrfFunctionTests(SimpleTestCase):
|
||||||
actual = _unmask_cipher_token(masked_secret)
|
actual = _unmask_cipher_token(masked_secret)
|
||||||
self.assertEqual(actual, secret)
|
self.assertEqual(actual, secret)
|
||||||
|
|
||||||
# This method depends on _unmask_cipher_token() being correct.
|
|
||||||
def assertMaskedSecretCorrect(self, masked_secret, secret):
|
|
||||||
"""Test that a string is a valid masked version of a secret."""
|
|
||||||
self.assertEqual(len(masked_secret), CSRF_TOKEN_LENGTH)
|
|
||||||
self.assertTrue(
|
|
||||||
set(masked_secret).issubset(set(CSRF_ALLOWED_CHARS)),
|
|
||||||
msg=f'invalid characters in {masked_secret!r}',
|
|
||||||
)
|
|
||||||
actual = _unmask_cipher_token(masked_secret)
|
|
||||||
self.assertEqual(actual, secret)
|
|
||||||
|
|
||||||
def test_mask_cipher_secret(self):
|
def test_mask_cipher_secret(self):
|
||||||
cases = [
|
cases = [
|
||||||
32 * 'a',
|
32 * 'a',
|
||||||
|
@ -186,7 +191,7 @@ class PostErrorRequest(TestingHttpRequest):
|
||||||
POST = property(_get_post, _set_post)
|
POST = property(_get_post, _set_post)
|
||||||
|
|
||||||
|
|
||||||
class CsrfViewMiddlewareTestMixin:
|
class CsrfViewMiddlewareTestMixin(CsrfFunctionTestMixin):
|
||||||
"""
|
"""
|
||||||
Shared methods and tests for session-based and cookie-based tokens.
|
Shared methods and tests for session-based and cookie-based tokens.
|
||||||
"""
|
"""
|
||||||
|
@ -274,14 +279,19 @@ class CsrfViewMiddlewareTestMixin:
|
||||||
request_class=request_class,
|
request_class=request_class,
|
||||||
)
|
)
|
||||||
|
|
||||||
def _check_token_present(self, response, csrf_id=None):
|
# This method depends on _unmask_cipher_token() being correct.
|
||||||
|
def _check_token_present(self, response, csrf_token=None):
|
||||||
|
if csrf_token is None:
|
||||||
|
csrf_secret = TEST_SECRET
|
||||||
|
else:
|
||||||
|
csrf_secret = _unmask_cipher_token(csrf_token)
|
||||||
text = str(response.content, response.charset)
|
text = str(response.content, response.charset)
|
||||||
match = re.search('name="csrfmiddlewaretoken" value="(.*?)"', text)
|
match = re.search('name="csrfmiddlewaretoken" value="(.*?)"', text)
|
||||||
csrf_token = csrf_id or self._csrf_id_token
|
|
||||||
self.assertTrue(
|
self.assertTrue(
|
||||||
match and _does_token_match(csrf_token, match[1]),
|
match, f'Could not find a csrfmiddlewaretoken value in: {text}',
|
||||||
"Could not find csrfmiddlewaretoken to match %s" % csrf_token
|
|
||||||
)
|
)
|
||||||
|
csrf_token = match[1]
|
||||||
|
self.assertMaskedSecretCorrect(csrf_token, csrf_secret)
|
||||||
|
|
||||||
def test_process_response_get_token_not_used(self):
|
def test_process_response_get_token_not_used(self):
|
||||||
"""
|
"""
|
||||||
|
@ -543,7 +553,7 @@ class CsrfViewMiddlewareTestMixin:
|
||||||
mw.process_view(req, token_view, (), {})
|
mw.process_view(req, token_view, (), {})
|
||||||
resp = mw(req)
|
resp = mw(req)
|
||||||
csrf_cookie = self._read_csrf_cookie(req, resp)
|
csrf_cookie = self._read_csrf_cookie(req, resp)
|
||||||
self._check_token_present(resp, csrf_id=csrf_cookie)
|
self._check_token_present(resp, csrf_cookie)
|
||||||
|
|
||||||
def test_cookie_not_reset_on_accepted_request(self):
|
def test_cookie_not_reset_on_accepted_request(self):
|
||||||
"""
|
"""
|
||||||
|
@ -1179,7 +1189,7 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
|
||||||
resp = mw(req)
|
resp = mw(req)
|
||||||
csrf_cookie = self._read_csrf_cookie(req, resp)
|
csrf_cookie = self._read_csrf_cookie(req, resp)
|
||||||
self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH)
|
self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH)
|
||||||
self._check_token_present(resp, csrf_id=csrf_cookie)
|
self._check_token_present(resp, csrf_cookie)
|
||||||
|
|
||||||
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)
|
@override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)
|
||||||
def test_https_good_referer_behind_proxy(self):
|
def test_https_good_referer_behind_proxy(self):
|
||||||
|
|
Loading…
Reference in New Issue