Commit adfa2b0a authored by Kostas Papadimitriou's avatar Kostas Papadimitriou
Browse files

astakos: Updated tests

include weblogin view tests
parent efb324c1
......@@ -31,6 +31,9 @@
# interpreted as representing official policies, either expressed
# or implied, of GRNET S.A.
import urlparse
import urllib
from astakos.im.tests.common import *
ui_url = lambda url: '/' + astakos_settings.BASE_PATH + '/ui/%s' % url
......@@ -1297,3 +1300,58 @@ class TestActivationBackend(TestCase):
self.assertTrue(user.moderated_at)
self.assertEqual(user.email_verified, True)
self.assertTrue(user.activation_sent)
class TestWebloginRedirect(TestCase):
@with_settings(settings, COOKIE_DOMAIN='.astakos.synnefo.org')
def test_restricts_domains(self):
get_local_user('user1@synnefo.org')
# next url construct helpers
weblogin = lambda nxt: reverse('weblogin') + '?next=%s' % nxt
weblogin_quoted = lambda nxt: reverse('weblogin') + '?next=%s' % \
urllib.quote_plus(nxt)
# common cases
invalid_domain = weblogin("https://www.invaliddomain.synnefo.org")
invalid_scheme = weblogin("customscheme://localhost")
invalid_scheme_with_valid_domain = \
weblogin("http://www.invaliddomain.com")
valid_scheme = weblogin("pithos://localhost/")
# to be used in assertRedirects
valid_scheme_quoted = weblogin_quoted("pithos://localhost/")
# not authenticated, redirects to login which contains next param with
# additional nested quoted next params
r = self.client.get(valid_scheme, follow=True)
login_redirect = reverse('index') + '?next=' + \
urllib.quote_plus("http://testserver" + valid_scheme_quoted)
self.assertRedirects(r, login_redirect)
# authenticate client
self.client.login(username="user1@synnefo.org", password="password")
# valid scheme
r = self.client.get(valid_scheme, follow=True)
self.assertEqual(len(r.redirect_chain), 3)
url = r.redirect_chain[1][0]
# scheme preserved
self.assertTrue(url.startswith('pithos://localhost/'))
# redirect contains token param
params = urlparse.urlparse(urlparse.urlparse(url).path, 'https').query
params = urlparse.parse_qs(params)
self.assertEqual(params['token'][0],
AstakosUser.objects.get().auth_token)
# does not contain uuid
self.assertFalse('uuid' in params)
# invalid cases
r = self.client.get(invalid_scheme, follow=True)
self.assertEqual(r.status_code, 403)
r = self.client.get(invalid_scheme_with_valid_domain, follow=True)
self.assertEqual(r.status_code, 403)
r = self.client.get(invalid_domain, follow=True)
self.assertEqual(r.status_code, 403)
......@@ -112,9 +112,9 @@ def restrict_next(url, domain=None, allowed_schemes=()):
redirect location of an http redirect response. The method parses the
provided url and identifies if it conforms CORS against provided domain
AND url scheme matches any of the schemes in `allowed_schemes` parameter.
If verirication succeeds sanitized safe url is returned so you must use
the method's response in the response location header and not the
originally provided url. If verification fails the method returns None.
If verirication succeeds sanitized safe url is returned. Consider using
the method's result in the response location header and not the originally
provided url. If verification fails the method returns None.
>>> print restrict_next('/im/feedback', '.okeanos.grnet.gr')
/im/feedback
......@@ -162,6 +162,7 @@ def restrict_next(url, domain=None, allowed_schemes=()):
if not domain and not allowed_schemes:
return url
# domain validation
if domain:
if not parts.netloc:
return url
......@@ -170,6 +171,7 @@ def restrict_next(url, domain=None, allowed_schemes=()):
else:
return None
# scheme validation
if allowed_schemes:
if parts.scheme in allowed_schemes:
return url
......
......@@ -34,5 +34,6 @@
from django.conf.urls.defaults import patterns, url
urlpatterns = (
url(r'^login$', 'astakos.im.views.target.redirect.login'),
url(r'^login$', 'astakos.im.views.target.redirect.login',
name="weblogin"),
)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment