|
1 |
import urlparse
|
|
2 |
import tempfile
|
|
3 |
import shutil
|
|
4 |
import json
|
|
5 |
import os
|
|
6 |
import hmac
|
|
7 |
import base64
|
|
8 |
import hashlib
|
|
9 |
import urllib
|
|
10 |
import datetime
|
|
11 |
|
|
12 |
from quixote import cleanup, get_publisher
|
|
13 |
from wcs import publisher
|
|
14 |
from qommon import sessions
|
|
15 |
from wcs.qommon.http_request import HTTPRequest
|
|
16 |
from wcs.users import User
|
|
17 |
from wcs.categories import Category
|
|
18 |
|
|
19 |
pub, req, app_dir, user = None, None, None, None
|
|
20 |
|
|
21 |
def setup_module(module):
|
|
22 |
cleanup()
|
|
23 |
|
|
24 |
global pub, req, app_dir, user
|
|
25 |
APP_DIR = tempfile.mkdtemp()
|
|
26 |
publisher.WcsPublisher.APP_DIR = APP_DIR
|
|
27 |
pub = publisher.WcsPublisher.create_publisher()
|
|
28 |
# allow saving the user
|
|
29 |
pub.app_dir = os.path.join(APP_DIR, 'example.net')
|
|
30 |
os.mkdir(pub.app_dir)
|
|
31 |
user = User()
|
|
32 |
user.name = 'Jean Darmette'
|
|
33 |
user.email = 'jean.darmette@triffouilis.fr'
|
|
34 |
user.store()
|
|
35 |
|
|
36 |
file(os.path.join(pub.app_dir, 'site-options.cfg'), 'w').write('''\
|
|
37 |
[api-secrets]
|
|
38 |
coucou = 1234
|
|
39 |
''')
|
|
40 |
|
|
41 |
req = HTTPRequest(None, {'SCRIPT_NAME': '/', 'SERVER_NAME': 'example.net'})
|
|
42 |
req._user = None
|
|
43 |
req.language = 'en'
|
|
44 |
pub._set_request(req)
|
|
45 |
req.session = sessions.Session(id=1)
|
|
46 |
category = Category()
|
|
47 |
category.name = 'category'
|
|
48 |
category.store()
|
|
49 |
|
|
50 |
|
|
51 |
def visit_page(url, body=None):
|
|
52 |
global req
|
|
53 |
|
|
54 |
parsed = urlparse.urlparse(url)
|
|
55 |
environ = {}
|
|
56 |
environ['SCRIPT_NAME'] = '/'
|
|
57 |
environ['SERVER_NAME'] = 'example.net'
|
|
58 |
environ['PATH_INFO'] = parsed.path
|
|
59 |
if parsed.query:
|
|
60 |
environ['QUERY_STRING'] = parsed.query
|
|
61 |
req = HTTPRequest(body, environ)
|
|
62 |
return get_publisher().process_request(req)
|
|
63 |
|
|
64 |
def teardown_module(module):
|
|
65 |
global pub
|
|
66 |
shutil.rmtree(pub.APP_DIR)
|
|
67 |
|
|
68 |
def test_user_page_redirect():
|
|
69 |
output = visit_page('/user')
|
|
70 |
assert output.headers.get('location') == 'http://example.net//myspace/'
|
|
71 |
|
|
72 |
def test_user_page_error_when_json_and_no_user():
|
|
73 |
output = visit_page('/user?format=json')
|
|
74 |
content = ''.join(output.generate_body_chunks())
|
|
75 |
assert content == '???'
|
|
76 |
|
|
77 |
def test_get_user_from_api_query_string_error_missing_orig():
|
|
78 |
output = visit_page('/user?format=json&signature=xxx')
|
|
79 |
content = ''.join(output.generate_body_chunks())
|
|
80 |
result = json.loads(content)
|
|
81 |
assert result['err_desc'] == 'missing/multiple orig field'
|
|
82 |
|
|
83 |
def test_get_user_from_api_query_string_error_invalid_orig():
|
|
84 |
output = visit_page('/user?format=json&orig=coin&signature=xxx')
|
|
85 |
content = ''.join(output.generate_body_chunks())
|
|
86 |
result = json.loads(content)
|
|
87 |
assert result['err_desc'] == 'invalid orig'
|
|
88 |
|
|
89 |
def test_get_user_from_api_query_string_error_missing_algo():
|
|
90 |
output = visit_page('/user?format=json&orig=coucou&signature=xxx')
|
|
91 |
content = ''.join(output.generate_body_chunks())
|
|
92 |
result = json.loads(content)
|
|
93 |
assert result['err_desc'] == 'missing/multiple algo field'
|
|
94 |
|
|
95 |
def test_get_user_from_api_query_string_error_invalid_algo():
|
|
96 |
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=coin')
|
|
97 |
content = ''.join(output.generate_body_chunks())
|
|
98 |
result = json.loads(content)
|
|
99 |
assert result['err_desc'] == 'invalid algo'
|
|
100 |
|
|
101 |
def test_get_user_from_api_query_string_error_invalid_signature():
|
|
102 |
output = visit_page('/user?format=json&orig=coucou&signature=xxx&algo=sha1')
|
|
103 |
content = ''.join(output.generate_body_chunks())
|
|
104 |
result = json.loads(content)
|
|
105 |
assert result['err_desc'] == 'invalid signature'
|
|
106 |
|
|
107 |
def test_get_user_from_api_query_string_error_missing_timestamp():
|
|
108 |
signature = urllib.quote(
|
|
109 |
base64.b64encode(
|
|
110 |
hmac.new('1234',
|
|
111 |
'format=json&orig=coucou&algo=sha1',
|
|
112 |
hashlib.sha1).digest()))
|
|
113 |
output = visit_page('/user?format=json&orig=coucou&algo=sha1&signature=%s' % signature)
|
|
114 |
content = ''.join(output.generate_body_chunks())
|
|
115 |
result = json.loads(content)
|
|
116 |
assert result['err_desc'] == 'missing/multiple timestamp field'
|
|
117 |
|
|
118 |
def test_get_user_from_api_query_string_error_missing_email():
|
|
119 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
120 |
query = 'format=json&orig=coucou&algo=sha1×tamp=' + timestamp
|
|
121 |
signature = urllib.quote(
|
|
122 |
base64.b64encode(
|
|
123 |
hmac.new('1234',
|
|
124 |
query,
|
|
125 |
hashlib.sha1).digest()))
|
|
126 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
127 |
content = ''.join(output.generate_body_chunks())
|
|
128 |
result = json.loads(content)
|
|
129 |
assert result['err_desc'] == 'missing email or NameID fields'
|
|
130 |
|
|
131 |
def test_get_user_from_api_query_string_error_success_sha1():
|
|
132 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
133 |
query = 'format=json&orig=coucou&algo=sha1&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
|
134 |
signature = urllib.quote(
|
|
135 |
base64.b64encode(
|
|
136 |
hmac.new('1234',
|
|
137 |
query,
|
|
138 |
hashlib.sha1).digest()))
|
|
139 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
140 |
content = ''.join(output.generate_body_chunks())
|
|
141 |
result = json.loads(content)
|
|
142 |
assert result['user_display_name'] == u'Jean Darmette'
|
|
143 |
|
|
144 |
def test_get_user_from_api_query_string_error_invalid_signature_algo_mismatch():
|
|
145 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
146 |
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
|
147 |
signature = urllib.quote(
|
|
148 |
base64.b64encode(
|
|
149 |
hmac.new('1234',
|
|
150 |
query,
|
|
151 |
hashlib.sha1).digest()))
|
|
152 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
153 |
content = ''.join(output.generate_body_chunks())
|
|
154 |
result = json.loads(content)
|
|
155 |
assert result['err_desc'] == 'invalid signature'
|
|
156 |
|
|
157 |
def test_get_user_from_api_query_string_error_success_sha256():
|
|
158 |
timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
|
|
159 |
query = 'format=json&orig=coucou&algo=sha256&email=' + urllib.quote(user.email) + '×tamp=' + timestamp
|
|
160 |
signature = urllib.quote(
|
|
161 |
base64.b64encode(
|
|
162 |
hmac.new('1234',
|
|
163 |
query,
|
|
164 |
hashlib.sha256).digest()))
|
|
165 |
output = visit_page('/user?%s&signature=%s' % (query, signature))
|
|
166 |
content = ''.join(output.generate_body_chunks())
|
|
167 |
result = json.loads(content)
|
|
168 |
assert result['user_display_name'] == u'Jean Darmette'
|
| 0 |
|
-
|