[03/22] allura git commit: [#7927] strengthen / document tests a bit

[he...@apache.org]

[#7927] strengthen / document tests a bit


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/bbeebdbb
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/bbeebdbb
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/bbeebdbb

Branch: refs/heads/hs/7925
Commit: bbeebdbb9a3059f1c4595203967e2dbb6bd3a7a6
Parents: 82a3642
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Tue Jul 21 17:43:23 2015 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Tue Jul 21 17:44:31 2015 +0000

----------------------------------------------------------------------
 Allura/allura/tests/functional/test_rest.py | 18 ++++++++++++++++++
 Allura/allura/tests/test_middlewares.py     |  1 +
 2 files changed, 19 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/bbeebdbb/Allura/allura/tests/functional/test_rest.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_rest.py b/Allura/allura/tests/functional/test_rest.py
index 3fed49c..903cda7 100644
--- a/Allura/allura/tests/functional/test_rest.py
+++ b/Allura/allura/tests/functional/test_rest.py
@@ -353,6 +353,24 @@ class TestRestHome(TestRestApiBase):
             r = self.api_get('/rest/p/test/')
             assert r.status_int == 404
 
+    @td.with_wiki
+    def test_cors_POST_req_blocked_by_csrf(self):
+        # so test-admin isn't automatically logged in for all requests
+        self.app.extra_environ = {'disable_auth_magic': 'True'}
+
+        # regular login to get a session cookie set up
+        r = self.app.get('/auth/')
+        r.form['username'] = 'test-admin'
+        r.form['password'] = 'foo'
+        r.form.submit()
+
+        # simulate CORS ajax request withCredentials (cookie headers)
+        # make sure we don't allow the cookies to authorize the request (else could be a CSRF attack vector)
+        assert self.app.cookies['allura']
+        self.app.post('/rest/p/test/wiki/NewPage', headers={'Origin': 'http://bad.com/'},
+                      status=401)
+
+
 class TestDoap(TestRestApiBase):
     validate_skip = True
     ns = '{http://usefulinc.com/ns/doap#}'

http://git-wip-us.apache.org/repos/asf/allura/blob/bbeebdbb/Allura/allura/tests/test_middlewares.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_middlewares.py b/Allura/allura/tests/test_middlewares.py
index 4b45097..58dc515 100644
--- a/Allura/allura/tests/test_middlewares.py
+++ b/Allura/allura/tests/test_middlewares.py
@@ -77,6 +77,7 @@ class TestCORSMiddleware(object):
         exc.HTTPOk.return_value.assert_called_once_with(env, callback)
 
     def test_get_response_headers_simple(self):
+        # Allow-Origin: * is crucial for security, since that prevents browsers from exposing results fetched withCredentials: true (aka cookies)
         assert_equal(self.cors.get_response_headers(),
                      [('Access-Control-Allow-Origin', '*')])
         assert_equal(self.cors.get_response_headers(preflight=False),