Mercurial > p > roundup > code
annotate test/test_jinja2.py @ 8265:35beff316883
fix(api): issue2551384. Verify REST authorization earlier
To reduce the ability of bad actors to spam (DOS) the REST endpoint
with bad data and generate logs meant for debugging, modify the flow
in client.py's REST handler to verify authorization earlier.
If the anonymous user is allowed to use REST, this won't make a
difference for a DOS attempt. The templates don't enable REST for the
anonymous user by default. Most admins don't change this.
The validation order for REST requests has been changed.
CORS identfied an handled
User authorization to use REST (return 403 on failure)
REST request validated (Origin header valid etc.) (return 400 for
bad request)
Incorrectly formatted CORS preflight requests (e.g. missing Origin
header) that are not recogized as a CORS request can now return HTTP
status 403 as well as status 400 (when anonymous is allowed
access). Note all CORS preflights are sent without authentication so
appear as anonymous requests.
The tests were updated to compensate, but it is not obvious to me from
specs what the proper evaulation order/return codes should be for this
case. Both 403/400 are failures and cause CORS to fail so there should
be no difference but...
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 09 Jan 2025 09:30:08 -0500 |
| parents | d26921b851c3 |
| children |
| rev | line source |
|---|---|
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5037
diff
changeset
|
1 #-*- encoding: utf-8 -*- |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
2 """ Testing the jinja2 templating engine of roundup-tracker. |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
3 |
|
5009
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
4 Copyright: 2016 Intevation GmbH. |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
5 Author: Bernhard E. Reiter <bernhard@intevation.de> |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
6 |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
7 This module is Free Software under the Roundup licensing of 1.5, |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
8 see the COPYING.txt file coming with Roundup. |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
9 |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
10 Just a test file template for now. |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
11 """ |
|
5009
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
12 import shutil # only, needed for tearDown. TODO: Remove when refactored. |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
13 import unittest |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
14 |
|
5388
d26921b851c3
Python 3 preparation: make relative imports explicit.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5248
diff
changeset
|
15 from . import db_test_base |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
16 |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
17 TESTSUITE_IDENTIFIER='jinja2' |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
18 |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
19 class TestCase_Zero(unittest.TestCase): |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
20 def test_zero(self): |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
21 self.assertEqual(True, True) |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
22 |
|
5033
63c79c0992ae
Update tests to work with py.test
John Kristensen <john@jerrykan.com>
parents:
5009
diff
changeset
|
23 |
|
63c79c0992ae
Update tests to work with py.test
John Kristensen <john@jerrykan.com>
parents:
5009
diff
changeset
|
24 class Jinja2Test(object): |
|
5009
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
25 """Sets up and tears down an instance with database contents. |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
26 |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
27 Setup and teardown modelled after the use of db_test_base |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
28 by several modules like test_xmlrpc and test_userauditor. |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
29 |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
30 TODO: Should probably be moved to a base case in db_test_base.py. |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
31 """ |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
32 |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
33 backend = None # can be used to create tests per backend, see test_xmlrpc |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
34 |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
35 def setUp(self): |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
36 self.dirname = '_test_' + TESTSUITE_IDENTIFIER |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
37 self.instance = db_test_base.setupTracker(self.dirname, self.backend) |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
38 self.db = self.instance.open('admin') |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
39 |
|
5009
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
40 def tearDown(self): |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
41 self.db.close() |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
42 try: |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
43 shutil.rmtree(self.dirname) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
5037
diff
changeset
|
44 except OSError as error: |
|
5009
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
45 if error.errno not in (errno.ENOENT, errno.ESRCH): raise |
|
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
46 |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
47 def test_zero(self): |
|
5009
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
48 """Do nothing just make sure that setup and teardown works.""" |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
49 pass |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
50 |
|
5009
3766e0ca8e7a
test_jinja2: stub improved, now with proper teardown.
Bernhard Reiter <bernhard@intevation.de>
parents:
4964
diff
changeset
|
51 |
|
5037
364c54991861
Remove unneeded TestSuite code from tests
John Kristensen <john@jerrykan.com>
parents:
5033
diff
changeset
|
52 # only using one database backend for now, not sure if doing all |
|
364c54991861
Remove unneeded TestSuite code from tests
John Kristensen <john@jerrykan.com>
parents:
5033
diff
changeset
|
53 # backends will keep the test focussed enough to be useful for the used |
|
364c54991861
Remove unneeded TestSuite code from tests
John Kristensen <john@jerrykan.com>
parents:
5033
diff
changeset
|
54 # computing time. Would be okay to change in the future. |
|
5033
63c79c0992ae
Update tests to work with py.test
John Kristensen <john@jerrykan.com>
parents:
5009
diff
changeset
|
55 class anydbmJinja2Test(Jinja2Test, unittest.TestCase): |
|
63c79c0992ae
Update tests to work with py.test
John Kristensen <john@jerrykan.com>
parents:
5009
diff
changeset
|
56 backend = 'anydbm' |
|
63c79c0992ae
Update tests to work with py.test
John Kristensen <john@jerrykan.com>
parents:
5009
diff
changeset
|
57 |
|
4964
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
58 # vim: ts=4 et sts=4 sw=4 ai : |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
59 |
|
2c3cc4ccd024
Automatic tests: added some notes to the readme and a test_jinja2 stub.
Bernhard Reiter <bernhard@intevation.de>
parents:
diff
changeset
|
60 |