Mercurial > p > roundup > code
comparison test/test_templating.py @ 5211:f4b6a2a3e605
Fix expiration dates and expire csrf tokens properly
In client.py: add explicit expiration of csrf tokens to
handle_csrf. There is a clean_up() that runs on every client
connection before handle)csrf is invoked, but it only cleans every
hour. With short lived tokens this is insufficient. Also remove
debugging.
In templating.py fix values for seconds/week and minutes per week. The
original values were shifted/transposed and an order of magnitude off.
In test_templating.py again fix seconds/week constant.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Mar 2017 17:10:13 -0400 |
| parents | a9ace22e0a2f |
| children | 578e86e015f9 |
comparison
equal
deleted
inserted
replaced
| 5210:7da56980754d | 5211:f4b6a2a3e605 |
|---|---|
| 141 * create nonce via module function with default lifetime | 141 * create nonce via module function with default lifetime |
| 142 | 142 |
| 143 ''' | 143 ''' |
| 144 | 144 |
| 145 # the value below is number of seconds in a week. | 145 # the value below is number of seconds in a week. |
| 146 week_seconds = 648000 | 146 week_seconds = 604800 |
| 147 | |
| 148 otks=self.client.db.getOTKManager() | |
| 149 | |
| 147 for test in [ 'module', 'template', 'default_time' ]: | 150 for test in [ 'module', 'template', 'default_time' ]: |
| 151 print "Testing:", test | |
| 152 | |
| 148 if test == 'module': | 153 if test == 'module': |
| 149 # test the module function | 154 # test the module function |
| 150 nonce1 = anti_csrf_nonce(self, self.client, lifetime=1) | 155 nonce1 = anti_csrf_nonce(self, self.client, lifetime=1) |
| 151 # lifetime * 60 is the offset | 156 # lifetime * 60 is the offset |
| 152 greater_than = week_seconds - 1 * 60 | 157 greater_than = week_seconds - 1 * 60 |
| 160 nonce1 = anti_csrf_nonce(self, self.client) | 165 nonce1 = anti_csrf_nonce(self, self.client) |
| 161 # see above for web nonce lifetime. | 166 # see above for web nonce lifetime. |
| 162 greater_than = week_seconds - 10 * 60 | 167 greater_than = week_seconds - 10 * 60 |
| 163 | 168 |
| 164 self.assertEqual(len(nonce1), 64) | 169 self.assertEqual(len(nonce1), 64) |
| 165 otks=self.client.db.getOTKManager() | |
| 166 | 170 |
| 167 uid = otks.get(nonce1, 'uid', default=None) | 171 uid = otks.get(nonce1, 'uid', default=None) |
| 168 sid = otks.get(nonce1, 'sid', default=None) | 172 sid = otks.get(nonce1, 'sid', default=None) |
| 169 timestamp = otks.get(nonce1, '__timestamp', default=None) | 173 timestamp = otks.get(nonce1, '__timestamp', default=None) |
| 170 | 174 |
| 171 self.assertEqual(uid, 10) | 175 self.assertEqual(uid, 10) |
| 172 self.assertEqual(sid, self.client.session_api._sid) | 176 self.assertEqual(sid, self.client.session_api._sid) |
| 173 | 177 |
| 174 ts = time.time() | 178 now = time.time() |
| 179 | |
| 180 print "now, timestamp, greater, difference", \ | |
| 181 now, timestamp, greater_than, now - timestamp | |
| 182 | |
| 175 | 183 |
| 176 # lower bound of the difference is above. Upper bound | 184 # lower bound of the difference is above. Upper bound |
| 177 # of difference is run time between time.time() in | 185 # of difference is run time between time.time() in |
| 178 # the call to anti_csrf_nonce and the time.time() call | 186 # the call to anti_csrf_nonce and the time.time() call |
| 179 # that assigns ts above. I declare that difference | 187 # that assigns ts above. I declare that difference |
| 180 # to be less than 1 second for this to pass. | 188 # to be less than 1 second for this to pass. |
| 181 self.assertEqual(True, | 189 self.assertEqual(True, |
| 182 greater_than < ts - timestamp < (greater_than + 1) ) | 190 greater_than <= now - timestamp < (greater_than + 1) ) |
| 183 | |
| 184 print "completed", test | |
| 185 | 191 |
| 186 def test_string_url_quote(self): | 192 def test_string_url_quote(self): |
| 187 ''' test that urlquote quotes the string ''' | 193 ''' test that urlquote quotes the string ''' |
| 188 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', 'test string< foo@bar') | 194 p = StringHTMLProperty(self.client, 'test', '1', None, 'test', 'test string< foo@bar') |
| 189 self.assertEqual(p.url_quote(), 'test%20string%3C%20foo%40bar') | 195 self.assertEqual(p.url_quote(), 'test%20string%3C%20foo%40bar') |