-
Notifications
You must be signed in to change notification settings - Fork 144
/
test_cookie_only.py
376 lines (308 loc) · 12.9 KB
/
test_cookie_only.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
import datetime
import time
import re
import json
import beaker.session
import beaker.util
from beaker.session import SignedCookie
from beaker._compat import b64decode
from beaker.middleware import SessionMiddleware
from unittest import SkipTest
try:
from webtest import TestApp as WebTestApp
except ImportError:
raise SkipTest("webtest not installed")
from beaker import crypto
if not crypto.get_crypto_module('default').has_aes:
raise SkipTest("No AES library is installed, can't test cookie-only "
"Sessions")
def simple_app(environ, start_response):
session = environ['beaker.session']
if 'value' not in session:
session['value'] = 0
session['value'] += 1
if not environ['PATH_INFO'].startswith('/nosave'):
session.save()
start_response('200 OK', [('Content-type', 'text/plain')])
msg = 'The current value is: %d and cookie is %s' % (session['value'], session)
return [msg.encode('UTF-8')]
def test_increment():
options = {'session.validate_key':'hoobermas', 'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
res = app.get('/')
assert 'current value is: 2' in res
res = app.get('/')
assert 'current value is: 3' in res
def test_invalid_cookie():
# This is not actually a cookie only session, but we still test the cookie part.
options = {'session.validate_key':'hoobermas'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
# Set an invalid cookie.
app.set_cookie('cb_/zabbix/actionconf.php_parts', 'HI')
res = app.get('/')
assert 'current value is: 2' in res, res
res = app.get('/')
assert 'current value is: 3' in res, res
def test_invalid_cookie_cookietype():
# This is not actually a cookie only session, but we still test the cookie part.
options = {'session.validate_key':'hoobermas', 'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
# Set an invalid cookie.
app.set_cookie('cb_/zabbix/actionconf.php_parts', 'HI')
res = app.get('/')
assert 'current value is: 2' in res, res
res = app.get('/')
assert 'current value is: 3' in res, res
def test_json_serializer():
options = {'session.validate_key':'hoobermas', 'session.type':'cookie', 'data_serializer': 'json'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
res = app.get('/')
cookie = SignedCookie('hoobermas')
session_data = cookie.value_decode(app.cookies['beaker.session.id'])[0]
session_data = b64decode(session_data)
data = beaker.util.deserialize(session_data, 'json')
assert data['value'] == 2
res = app.get('/')
assert 'current value is: 3' in res
def test_pickle_serializer():
options = {'session.validate_key':'hoobermas', 'session.type':'cookie', 'data_serializer': 'pickle'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
res = app.get('/')
cookie = SignedCookie('hoobermas')
session_data = cookie.value_decode(app.cookies['beaker.session.id'])[0]
session_data = b64decode(session_data)
data = beaker.util.deserialize(session_data, 'pickle')
assert data['value'] == 2
res = app.get('/')
assert 'current value is: 3' in res
def test_custom_serializer():
was_used = [False, False]
class CustomSerializer(object):
def loads(self, data_string):
was_used[0] = True
return json.loads(data_string.decode('utf-8'))
def dumps(self, data):
was_used[1] = True
return json.dumps(data).encode('utf-8')
serializer = CustomSerializer()
options = {'session.validate_key':'hoobermas', 'session.type':'cookie', 'data_serializer': serializer}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
res = app.get('/')
cookie = SignedCookie('hoobermas')
session_data = cookie.value_decode(app.cookies['beaker.session.id'])[0]
session_data = b64decode(session_data)
data = serializer.loads(session_data)
assert data['value'] == 2
res = app.get('/')
assert 'current value is: 3' in res
assert all(was_used)
def test_expires():
options = {'session.validate_key':'hoobermas', 'session.type':'cookie',
'session.cookie_expires': datetime.timedelta(days=1)}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'expires=' in res.headers.getall('Set-Cookie')[0]
assert 'current value is: 1' in res
def test_different_sessions():
options = {'session.validate_key':'hoobermas', 'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
app2 = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
res = app2.get('/')
assert 'current value is: 1' in res
res = app2.get('/')
res = app2.get('/')
res = app2.get('/')
res2 = app.get('/')
assert 'current value is: 2' in res2
assert 'current value is: 4' in res
def test_nosave():
options = {'session.validate_key':'hoobermas', 'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/nosave')
assert 'current value is: 1' in res
assert [] == res.headers.getall('Set-Cookie')
res = app.get('/nosave')
assert 'current value is: 1' in res
res = app.get('/')
assert 'current value is: 1' in res
assert len(res.headers.getall('Set-Cookie')) > 0
res = app.get('/')
assert 'current value is: 2' in res
def test_increment_with_encryption():
options = {'session.encrypt_key':'666a19cf7f61c64c', 'session.validate_key':'hoobermas',
'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
res = app.get('/')
assert 'current value is: 2' in res
res = app.get('/')
assert 'current value is: 3' in res
def test_different_sessions_with_encryption():
options = {'session.encrypt_key':'666a19cf7f61c64c', 'session.validate_key':'hoobermas',
'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
app2 = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'current value is: 1' in res
res = app2.get('/')
assert 'current value is: 1' in res
res = app2.get('/')
res = app2.get('/')
res = app2.get('/')
res2 = app.get('/')
assert 'current value is: 2' in res2
assert 'current value is: 4' in res
def test_nosave_with_encryption():
options = {'session.encrypt_key':'666a19cf7f61c64c', 'session.validate_key':'hoobermas',
'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/nosave')
assert 'current value is: 1' in res
assert [] == res.headers.getall('Set-Cookie')
res = app.get('/nosave')
assert 'current value is: 1' in res
res = app.get('/')
assert 'current value is: 1' in res
assert len(res.headers.getall('Set-Cookie')) > 0
res = app.get('/')
assert 'current value is: 2' in res
def test_cookie_id():
options = {'session.encrypt_key':'666a19cf7f61c64c', 'session.validate_key':'hoobermas',
'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert "_id':" in res
sess_id = re.sub(r".*'_id': '(.*?)'.*", r'\1', res.body.decode('utf-8'))
res = app.get('/')
new_id = re.sub(r".*'_id': '(.*?)'.*", r'\1', res.body.decode('utf-8'))
assert new_id == sess_id
def test_invalidate_with_save_does_not_delete_session():
def invalidate_session_app(environ, start_response):
session = environ['beaker.session']
session.invalidate()
session.save()
start_response('200 OK', [('Content-type', 'text/plain')])
return [('Cookie is %s' % session).encode('UTF-8')]
options = {'session.encrypt_key':'666a19cf7f61c64c', 'session.validate_key':'hoobermas',
'session.type':'cookie'}
app = WebTestApp(SessionMiddleware(invalidate_session_app, **options))
res = app.get('/')
assert 'expires=' not in res.headers.getall('Set-Cookie')[0]
def test_changing_encrypt_key_with_timeout():
COMMON_ENCRYPT_KEY = '666a19cf7f61c64c'
DIFFERENT_ENCRYPT_KEY = 'hello-world'
options = {'session.encrypt_key': COMMON_ENCRYPT_KEY,
'session.timeout': 300,
'session.validate_key': 'hoobermas',
'session.type': 'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'The current value is: 1' in res, res
# Get the session cookie, so we can reuse it.
cookies = res.headers['Set-Cookie']
# Check that we get the same session with the same cookie
options = {'session.encrypt_key': COMMON_ENCRYPT_KEY,
'session.timeout': 300,
'session.validate_key': 'hoobermas',
'session.type': 'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/', headers={'Cookie': cookies})
assert 'The current value is: 2' in res, res
# Now that we are sure that it reuses the same session,
# change the encrypt_key so that it is unable to understand the cookie.
options = {'session.encrypt_key': DIFFERENT_ENCRYPT_KEY,
'session.timeout': 300,
'session.validate_key': 'hoobermas',
'session.type': 'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/', headers={'Cookie': cookies})
# Let's check it created a new session as the old one is invalid
# in the past it just crashed.
assert 'The current value is: 1' in res, res
def test_cookie_properly_expires():
COMMON_ENCRYPT_KEY = '666a19cf7f61c64c'
options = {'session.encrypt_key': COMMON_ENCRYPT_KEY,
'session.timeout': 1,
'session.validate_key': 'hoobermas',
'session.type': 'cookie'}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/')
assert 'The current value is: 1' in res, res
res = app.get('/')
assert 'The current value is: 2' in res, res
# Wait session to expire and check it starts with a clean one
time.sleep(1)
res = app.get('/')
assert 'The current value is: 1' in res, res
def test_cookie_attributes_are_preserved():
options = {'session.type': 'cookie',
'session.validate_key': 'hoobermas',
'session.httponly': True,
'session.secure': True,
'session.samesite': 'Strict'}
app = WebTestApp(SessionMiddleware(simple_app, options))
res = app.get('/')
cookie = res.headers['Set-Cookie']
assert 'secure' in cookie.lower()
assert 'httponly' in cookie.lower()
assert 'samesite=strict' in cookie.lower()
def test_cookie_path_properly_set_after_init():
COOKIE_PATH = '/app'
options = {
'session.validate_key': 'hoobermas',
'session.type': 'cookie',
'session.cookie_path': COOKIE_PATH,
}
app = WebTestApp(SessionMiddleware(simple_app, **options))
res = app.get('/app')
cookie = res.headers['Set-Cookie']
assert ('path=%s' % COOKIE_PATH) in cookie.lower()
def test_cookie_path_properly_set_after_load():
COOKIE_PATH = '/app'
options = {
'session.validate_key': 'hoobermas',
'session.type': 'cookie',
'session.cookie_path': COOKIE_PATH,
}
app = WebTestApp(SessionMiddleware(simple_app, **options))
# Perform one request to set the cookie
res = app.get('/app')
# Perform another request to load the previous session from the cookie
res = app.get('/app')
cookie = res.headers['Set-Cookie']
assert ('path=%s' % COOKIE_PATH) in cookie.lower()
def test_cookie_path_properly_set_after_delete():
COOKIE_PATH = '/app'
def delete_session_app(environ, start_response):
session = environ['beaker.session']
session.delete()
start_response('200 OK', [('Content-type', 'text/plain')])
return [('Cookie is %s' % session).encode('UTF-8')]
options = {
'session.validate_key': 'hoobermas',
'session.type': 'cookie',
'session.cookie_path': COOKIE_PATH,
}
app = WebTestApp(SessionMiddleware(delete_session_app, **options))
res = app.get('/app')
cookie = res.headers['Set-Cookie']
assert ('path=%s' % COOKIE_PATH) in cookie.lower()
if __name__ == '__main__':
from paste import httpserver
wsgi_app = SessionMiddleware(simple_app, {})
httpserver.serve(wsgi_app, host='127.0.0.1', port=8080)