Skip to content
Snippets Groups Projects
Normal view Permalink
test_csrf.py 2.58 KiB
Newer Older
  • Learn to ignore specific revisions
    • Julian's avatar
    Add a few unit tests as well as integration tests that cover almost all views....
    Julian committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 
    import unittest

from flask import Flask, Blueprint, session, url_for

from uffd.csrf import csrf_bp, csrf_protect

uid_counter = 0

class TestCSRF(unittest.TestCase):
	unprotected_ep = 'foo'
	protected_ep = 'bar'

	def setUp(self):
		self.app = Flask(__name__)
		self.app.testing = True
		self.app.config['SECRET_KEY'] = 'DEBUGKEY'
		self.app.register_blueprint(csrf_bp)

		@self.app.route('/', methods=['GET', 'POST'])
		def index():
			return 'SUCCESS', 200

		@self.app.route('/login', methods=['GET', 'POST'])
		def login():
			global uid_counter
			session['_csrf_token'] = 'secret_csrf_token%d'%uid_counter
			uid_counter += 1
			return 'Ok', 200

		@self.app.route('/logout', methods=['GET', 'POST'])
		def logout():
			session.clear()
			return 'Ok', 200

		@self.app.route('/foo', methods=['GET', 'POST'])
		def foo():
			return 'SUCCESS', 200

		@self.app.route('/bar', methods=['GET', 'POST'])
		@csrf_protect()
		def bar():
			return 'SUCCESS', 200
		
		self.bp = Blueprint('bp', __name__)

		@self.bp.route('/foo', methods=['GET', 'POST'])
		@csrf_protect(blueprint=self.bp) # This time on .foo and not on .bar!
		def foo():
			return 'SUCCESS', 200
		
		@self.bp.route('/bar', methods=['GET', 'POST'])
		def bar():
			return 'SUCCESS', 200

		self.app.register_blueprint(self.bp, url_prefix='/bp/')
		self.client = self.app.test_client()
		self.client.__enter__()
		# Just do some request so that we can use url_for
		self.client.get(path='/')

	def tearDown(self):
		self.client.__exit__(None, None, None)

	def set_token(self):
		self.client.get(path='/login')

	def clear_token(self):
		self.client.get(path='/logout')

	def test_notoken_unprotected(self):
		url = url_for(self.unprotected_ep)
		self.assertTrue('csrf' not in url)
		self.assertEqual(self.client.get(path=url).data, b'SUCCESS')

	def test_token_unprotected(self):
		self.set_token()
		self.test_notoken_unprotected()

	def test_notoken_protected(self):
		url = url_for(self.protected_ep)
		self.assertNotEqual(self.client.get(path=url).data, b'SUCCESS')

	def test_token_protected(self):
		self.set_token()
		url = url_for(self.protected_ep)
		self.assertEqual(self.client.get(path=url).data, b'SUCCESS')

	def test_wrong_token_protected(self):
		self.set_token()
		url = url_for(self.protected_ep)
		self.set_token()
		self.assertNotEqual(self.client.get(path=url).data, b'SUCCESS')
	
	def test_deleted_token_protected(self):
		self.set_token()
		url = url_for(self.protected_ep)
		self.clear_token()
		self.assertNotEqual(self.client.get(path=url).data, b'SUCCESS')
	
class TestBlueprintCSRF(TestCSRF):
	unprotected_ep = 'bp.bar'
	protected_ep = 'bp.foo'

    Impressum - Datenschutzerklärung