1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00

Refs #32800 -- Added tests of more CSRF functions.

This commit is contained in:
Chris Jerdonek 2021-07-09 01:03:52 -04:00 committed by Mariusz Felisiak
parent 7132341255
commit 795051b2b0

View File

@ -7,8 +7,8 @@ from django.http import HttpRequest, HttpResponse, UnreadablePostError
from django.middleware.csrf import (
CSRF_ALLOWED_CHARS, CSRF_SESSION_KEY, CSRF_TOKEN_LENGTH, REASON_BAD_ORIGIN,
REASON_CSRF_TOKEN_MISSING, REASON_NO_CSRF_COOKIE, CsrfViewMiddleware,
RejectRequest, _does_token_match, _mask_cipher_secret, _unmask_cipher_token,
get_token,
InvalidTokenFormat, RejectRequest, _does_token_match, _mask_cipher_secret,
_sanitize_token, _unmask_cipher_token, get_token, rotate_token,
)
from django.test import SimpleTestCase, override_settings
from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
@ -69,6 +69,76 @@ class CsrfFunctionTests(SimpleTestCase):
masked = _mask_cipher_secret(secret)
self.assertMaskedSecretCorrect(masked, secret)
def test_get_token_csrf_cookie_set(self):
request = HttpRequest()
request.META['CSRF_COOKIE'] = MASKED_TEST_SECRET1
self.assertNotIn('CSRF_COOKIE_NEEDS_UPDATE', request.META)
token = get_token(request)
self.assertNotEqual(token, MASKED_TEST_SECRET1)
self.assertMaskedSecretCorrect(token, TEST_SECRET)
# The existing cookie is preserved.
self.assertEqual(request.META['CSRF_COOKIE'], MASKED_TEST_SECRET1)
self.assertIs(request.META['CSRF_COOKIE_NEEDS_UPDATE'], True)
def test_get_token_csrf_cookie_not_set(self):
request = HttpRequest()
self.assertNotIn('CSRF_COOKIE', request.META)
self.assertNotIn('CSRF_COOKIE_NEEDS_UPDATE', request.META)
token = get_token(request)
cookie = request.META['CSRF_COOKIE']
self.assertEqual(len(cookie), CSRF_TOKEN_LENGTH)
unmasked_cookie = _unmask_cipher_token(cookie)
self.assertMaskedSecretCorrect(token, unmasked_cookie)
self.assertIs(request.META['CSRF_COOKIE_NEEDS_UPDATE'], True)
def test_rotate_token(self):
request = HttpRequest()
request.META['CSRF_COOKIE'] = MASKED_TEST_SECRET1
self.assertNotIn('CSRF_COOKIE_NEEDS_UPDATE', request.META)
rotate_token(request)
# The underlying secret was changed.
cookie = request.META['CSRF_COOKIE']
self.assertEqual(len(cookie), CSRF_TOKEN_LENGTH)
unmasked_cookie = _unmask_cipher_token(cookie)
self.assertNotEqual(unmasked_cookie, TEST_SECRET)
self.assertIs(request.META['CSRF_COOKIE_NEEDS_UPDATE'], True)
def test_sanitize_token_masked(self):
# Tokens of length CSRF_TOKEN_LENGTH are preserved.
cases = [
(MASKED_TEST_SECRET1, MASKED_TEST_SECRET1),
(64 * 'a', 64 * 'a'),
]
for token, expected in cases:
with self.subTest(token=token):
actual = _sanitize_token(token)
self.assertEqual(actual, expected)
def test_sanitize_token_unmasked(self):
# A token of length CSRF_SECRET_LENGTH is masked.
actual = _sanitize_token(TEST_SECRET)
self.assertMaskedSecretCorrect(actual, TEST_SECRET)
def test_sanitize_token_invalid(self):
cases = [
(64 * '*', 'has invalid characters'),
(16 * 'a', 'has incorrect length'),
]
for token, expected_message in cases:
with self.subTest(token=token):
with self.assertRaisesMessage(InvalidTokenFormat, expected_message):
_sanitize_token(token)
def test_does_token_match(self):
cases = [
((MASKED_TEST_SECRET1, MASKED_TEST_SECRET2), True),
((MASKED_TEST_SECRET1, 64 * 'a'), False),
]
for (token1, token2), expected in cases:
with self.subTest(token1=token1, token2=token2):
actual = _does_token_match(token1, token2)
self.assertIs(actual, expected)
class TestingSessionStore(SessionStore):
"""