|
1 |
import urlparse
|
|
2 |
import tempfile
|
|
3 |
import shutil
|
|
4 |
import json
|
|
5 |
import os
|
|
6 |
import hmac
|
|
7 |
import base64
|
|
8 |
import hashlib
|
|
9 |
import urllib
|
|
10 |
import datetime
|
|
11 |
|
|
12 |
from quixote import cleanup, get_publisher
|
|
13 |
from wcs import publisher
|
|
14 |
from qommon import sessions
|
|
15 |
from wcs.qommon.http_request import HTTPRequest
|
|
16 |
from wcs.users import User
|
|
17 |
from wcs.categories import Category
|
|
18 |
|
|
19 |
pub, req, app_dir, user = None, None, None, None
|
|
20 |
|
|
21 |
def setup_module(module):
|
|
22 |
cleanup()
|
|
23 |
|
|
24 |
global pub, req, app_dir, user
|
|
25 |
app_dir = tempfile.mkdtemp()
|
|
26 |
publisher.WcsPublisher.APP_DIR = app_dir
|
|
27 |
pub = publisher.WcsPublisher.create_publisher()
|
|
28 |
|
|
29 |
req = HTTPRequest(None, {'SCRIPT_NAME': '/', 'SERVER_NAME': 'example.net'})
|
|
30 |
req._user = None
|
|
31 |
req.language = 'en'
|
|
32 |
pub._set_request(req)
|
|
33 |
req.session = sessions.Session(id=1)
|
|
34 |
category = Category()
|
|
35 |
category.name = 'category'
|
|
36 |
category.store()
|
|
37 |
|
|
38 |
|
|
39 |
def visit_page(url, body=None):
|
|
40 |
global req
|
|
41 |
|
|
42 |
parsed = urlparse.urlparse(url)
|
|
43 |
environ = {}
|
|
44 |
environ['SCRIPT_NAME'] = '/'
|
|
45 |
environ['SERVER_NAME'] = 'example.net'
|
|
46 |
environ['PATH_INFO'] = parsed.path
|
|
47 |
if parsed.query:
|
|
48 |
environ['QUERY_STRING'] = parsed.query
|
|
49 |
req = HTTPRequest(body, environ)
|
|
50 |
return get_publisher().process_request(req)
|
|
51 |
|
|
52 |
def teardown_module(module):
|
|
53 |
global pub
|
|
54 |
shutil.rmtree(pub.APP_DIR)
|
|
55 |
|
|
56 |
def test_get_user_from_api_query_string():
|
|
57 |
global user
|
|
58 |
|
|
59 |
import sys
|
|
60 |
output = visit_page('/user')
|
|
61 |
assert output.headers.get('location') == 'http://example.net//myspace/'
|
|
62 |
user = User()
|
|
63 |
user.name = 'Jean Darmette'
|
|
64 |
user.email = 'jean.darmette@triffouilis.fr'
|
|
65 |
user.store()
|
|
66 |
output = visit_page('/user?format=json')
|
|
67 |
content = ''.join(output.generate_body_chunks())
|
|
68 |
assert content == '???'
|
|
69 |
output = visit_page('/user?format=json&signature=xxx')
|
|
70 |
content = ''.join(output.generate_body_chunks())
|
|
71 |
result = json.loads(content)
|
|
72 |
assert result['err_desc'] == 'missing/multiple orig field'
|
|
73 |
output = visit_page('/user?format=json&orig=coin&signature=xxx')
|
|
74 |
content = ''.join(output.generate_body_chunks())
|
|
75 |
result = json.loads(content)
|
|
76 |
assert result['err_desc'] == 'invalid orig'
|
|
77 |
file(os.path.join(app_dir, 'example.net', 'site-options.cfg'), 'w').write('''\
|
|
78 |
[api-secrets]
|
|
79 |
coucou = 1234
|
|
80 |
''')
|
|
81 |
output = visit_page('/user?format=json&orig=coucou&signature=xxx')
|
|
82 |
content = ''.join(output.generate_body_chunks())
|
|
83 |
result = json.loads(content)
|
|
84 |
assert result['err_desc'] == 'missing/multiple algo field'
|
|
85 |
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=coin')
|
|
86 |
content = ''.join(output.generate_body_chunks())
|
|
87 |
result = json.loads(content)
|
|
88 |
assert result['err_desc'] == 'invalid algo'
|
|
89 |
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=sha1')
|
|
90 |
content = ''.join(output.generate_body_chunks())
|
|
91 |
result = json.loads(content)
|
|
92 |
assert result['err_desc'] == 'invalid signature'
|
|
93 |
signature = urllib.quote(
|
|
94 |
base64.b64encode(
|
|
95 |
hmac.new('1234',
|
|
96 |
'format=json&orig=coucou&algo=sha1',
|
|
97 |
hashlib.sha1).digest()))
|
|
98 |
output = visit_page('/user?format=json&orig=coucou&algo=sha1&signature=%s' % signature)
|
|
99 |
content = ''.join(output.generate_body_chunks())
|
|
100 |
result = json.loads(content)
|
|
101 |
assert result['err_desc'] == 'missing/multiple timestamp field'
|
|
102 |
|
|
103 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
104 |
query = 'format=json&orig=coucou&algo=sha1×tamp=' + timestamp
|
|
105 |
signature = urllib.quote(
|
|
106 |
base64.b64encode(
|
|
107 |
hmac.new('1234',
|
|
108 |
query,
|
|
109 |
hashlib.sha1).digest()))
|
|
110 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
111 |
content = ''.join(output.generate_body_chunks())
|
|
112 |
result = json.loads(content)
|
|
113 |
assert result['err_desc'] == 'missing email or NameID fields'
|
|
114 |
|
|
115 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
116 |
query = 'format=json&orig=coucou&algo=sha1&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
|
117 |
signature = urllib.quote(
|
|
118 |
base64.b64encode(
|
|
119 |
hmac.new('1234',
|
|
120 |
query,
|
|
121 |
hashlib.sha1).digest()))
|
|
122 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
123 |
content = ''.join(output.generate_body_chunks())
|
|
124 |
result = json.loads(content)
|
|
125 |
assert result['user_display_name'] == u'Jean Darmette'
|
|
126 |
|
|
127 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
128 |
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
|
129 |
signature = urllib.quote(
|
|
130 |
base64.b64encode(
|
|
131 |
hmac.new('1234',
|
|
132 |
query,
|
|
133 |
hashlib.sha1).digest()))
|
|
134 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
135 |
content = ''.join(output.generate_body_chunks())
|
|
136 |
result = json.loads(content)
|
|
137 |
assert result['err_desc'] == 'invalid signature'
|
|
138 |
|
|
139 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
140 |
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
|
141 |
signature = urllib.quote(
|
|
142 |
base64.b64encode(
|
|
143 |
hmac.new('1234',
|
|
144 |
query,
|
|
145 |
hashlib.sha256).digest()))
|
|
146 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
147 |
content = ''.join(output.generate_body_chunks())
|
|
148 |
result = json.loads(content)
|
|
149 |
assert result['user_display_name'] == u'Jean Darmette'
|
| 0 |
|
-
|