-
Notifications
You must be signed in to change notification settings - Fork 3
/
4_2__4_do_not_accept_malformed_resource_parameters.py
127 lines (105 loc) · 4.75 KB
/
4_2__4_do_not_accept_malformed_resource_parameters.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
from json import JSONDecodeError
import urllib
from hamcrest import all_of, equal_to, greater_than_or_equal_to, less_than
from feditest import hard_assert_that, soft_assert_that, test
from feditest.protocols.web.traffic import HttpResponse
from feditest.protocols.webfinger import WebFingerClient, WebFingerServer
from feditest.protocols.webfinger.traffic import ClaimedJrd
@test
def requires_valid_resource_uri_http_status(
client: WebFingerClient,
server: WebFingerServer
) -> None:
"""
Do not accept malformed resource parameters. Test HTTP status for missing acct: scheme.
"""
# We use the lower-level API from WebClient because we can't make the WebFingerClient do something invalid
test_id : str = server.obtain_account_identifier()
hostname : str = server.hostname
test_id_no_scheme = test_id.replace("acct:", "")
malformed_webfinger_uri : str = f"https://{hostname}/.well-known/webfinger?resource={test_id_no_scheme}"
response : HttpResponse = client.http_get(malformed_webfinger_uri).response
soft_assert_that(
response.http_status,
all_of(
greater_than_or_equal_to(400),
less_than(500)),
f'Not HTTP status 4xx.\nAccessed URI: "{ malformed_webfinger_uri }".')
soft_assert_that(
response.http_status,
equal_to(400),
f'Not HTTP status 400\nAccessed URI: "{ malformed_webfinger_uri }".')
@test
def requires_valid_resource_uri_jrd(
client: WebFingerClient,
server: WebFingerServer
) -> None:
"""
Do not accept malformed resource parameters. Test JRD content for missing acct: scheme.
"""
# We use the lower-level API from WebClient because we can't make the WebFingerClient do something invalid
test_id : str = server.obtain_account_identifier()
hostname : str = server.hostname
test_id_no_scheme = test_id.replace("acct:", "")
malformed_webfinger_uri : str = f"https://{hostname}/.well-known/webfinger?resource={test_id_no_scheme}"
response : HttpResponse = client.http_get(malformed_webfinger_uri).response
try: # we do not use the pyhamcrest any_of(raises, raises) because the error message is incomprehensible
ClaimedJrd.create_and_validate(response.payload)
soft_assert_that(False, f'Returns JRD content.\nAccessed URI: "{ malformed_webfinger_uri }".')
except ExceptionGroup as exc:
for e in exc.exceptions:
if not isinstance(e, (RuntimeError, JSONDecodeError)):
raise exc
pass # expected
except RuntimeError:
pass # expected
except JSONDecodeError:
pass # expected
@test
def double_equals_http_status(
client: WebFingerClient,
server: WebFingerServer
) -> None:
"""
Do not accept malformed resource parameters. Test HTTP status for inserting an extra = character.
"""
# We use the lower-level API from WebClient because we can't make the WebFingerClient do something invalid
test_id = server.obtain_account_identifier()
hostname : str = server.hostname
malformed_webfinger_uri = f"https://{hostname}/.well-known/webfinger?resource=={urllib.parse.quote(test_id)}"
response : HttpResponse = client.http_get(malformed_webfinger_uri).response
hard_assert_that(
response.http_status,
all_of(
greater_than_or_equal_to(400),
less_than(500)),
f'Not HTTP status 4xx.\nAccessed URI: "{ malformed_webfinger_uri }".')
soft_assert_that(
response.http_status,
equal_to(400),
f'Not HTTP status 400\nAccessed URI: "{ malformed_webfinger_uri }".')
@test
def double_equals_jrd(
client: WebFingerClient,
server: WebFingerServer
) -> None:
"""
Do not accept malformed resource parameters. Test JRD content for inserting an extra = character.
"""
# We use the lower-level API from WebClient because we can't make the WebFingerClient do something invalid
test_id = server.obtain_account_identifier()
hostname : str = server.hostname
malformed_webfinger_uri = f"https://{hostname}/.well-known/webfinger?resource=={urllib.parse.quote(test_id)}"
response : HttpResponse = client.http_get(malformed_webfinger_uri).response
try: # we do not use the pyhamcrest any_of(raises, raises) because the error message is incomprehensible
ClaimedJrd.create_and_validate(response.payload)
soft_assert_that(False, f'Returns JRD content.\nAccessed URI: "{ malformed_webfinger_uri }".')
except ExceptionGroup as exc:
for e in exc.exceptions:
if not isinstance(e, (RuntimeError, JSONDecodeError)):
raise exc
pass # expected
except RuntimeError:
pass # expected
except JSONDecodeError:
pass # expected