blob: f782f22a58943016f40a2ad5c63df833a40dac6d [file] [log] [blame]
# Copyright 2016 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file or at
# https://developers.google.com/open-source/licenses/bsd
"""Tests for monorail.tracker.issueattachment."""
from __future__ import print_function
from __future__ import division
from __future__ import absolute_import
import unittest
from google.appengine.ext import testbed
try:
from mox3 import mox
except ImportError:
import mox
import webapp2
from framework import gcs_helpers
from framework import permissions
from proto import tracker_pb2
from services import service_manager
from testing import fake
from testing import testing_helpers
from tracker import attachment_helpers
from tracker import issueattachment
class IssueattachmentTest(unittest.TestCase):
def setUp(self):
self.mox = mox.Mox()
self.testbed = testbed.Testbed()
self.testbed.activate()
self.testbed.init_memcache_stub()
self.testbed.init_app_identity_stub()
self.testbed.init_urlfetch_stub()
self.attachment_data = ""
services = service_manager.Services(
project=fake.ProjectService(),
config=fake.ConfigService(),
issue=fake.IssueService(),
user=fake.UserService())
self.project = services.project.TestAddProject('proj')
self.servlet = issueattachment.AttachmentPage(
'req', webapp2.Response(), services=services)
services.user.TestAddUser('commenter@example.com', 111)
self.issue = fake.MakeTestIssue(
self.project.project_id, 1, 'summary', 'New', 111)
services.issue.TestAddIssue(self.issue)
self.comment = tracker_pb2.IssueComment(
id=123, issue_id=self.issue.issue_id,
project_id=self.project.project_id, user_id=111,
content='this is a comment')
services.issue.TestAddComment(self.comment, self.issue.local_id)
self.attachment = tracker_pb2.Attachment(
attachment_id=54321, filename='hello.txt', filesize=23432,
mimetype='text/plain', gcs_object_id='/pid/attachments/object_id')
services.issue.TestAddAttachment(
self.attachment, self.comment.id, self.issue.issue_id)
self.orig_sign_attachment_id = attachment_helpers.SignAttachmentID
attachment_helpers.SignAttachmentID = (
lambda aid: 'signed_%d' % aid)
def tearDown(self):
self.mox.UnsetStubs()
self.mox.ResetAll()
self.testbed.deactivate()
attachment_helpers.SignAttachmentID = self.orig_sign_attachment_id
def testGatherPageData_NotFound(self):
aid = 12345
path = '/p/proj/issues/attachment?aid=%s&signed_aid=signed_%d' % (
aid, aid)
# But, no such attachment is in the database.
_request, mr = testing_helpers.GetRequestObjects(
project=self.project, path=path,
perms=permissions.EMPTY_PERMISSIONSET)
with self.assertRaises(webapp2.HTTPException) as cm:
self.servlet.GatherPageData(mr)
self.assertEqual(404, cm.exception.code)
# TODO(jrobbins): test cases for missing comment and missing issue.
def testGatherPageData_PermissionDenied(self):
aid = self.attachment.attachment_id
path = '/p/proj/issues/attachment?aid=%s&signed_aid=signed_%d' % (
aid, aid)
_request, mr = testing_helpers.GetRequestObjects(
project=self.project, path=path,
perms=permissions.EMPTY_PERMISSIONSET) # not even VIEW
self.assertRaises(
permissions.PermissionException,
self.servlet.GatherPageData, mr)
_request, mr = testing_helpers.GetRequestObjects(
project=self.project, path=path,
perms=permissions.READ_ONLY_PERMISSIONSET) # includes VIEW
# issue is now deleted
self.issue.deleted = True
self.assertRaises(
permissions.PermissionException,
self.servlet.GatherPageData, mr)
self.issue.deleted = False
# issue is now restricted
self.issue.labels.extend(['Restrict-View-PermYouLack'])
self.assertRaises(
permissions.PermissionException,
self.servlet.GatherPageData, mr)
def testGatherPageData_Download_WithDisposition(self):
aid = self.attachment.attachment_id
self.mox.StubOutWithMock(gcs_helpers, 'MaybeCreateDownload')
gcs_helpers.MaybeCreateDownload(
'app_default_bucket',
'/pid/attachments/object_id',
self.attachment.filename).AndReturn(True)
self.mox.StubOutWithMock(gcs_helpers, 'SignUrl')
gcs_helpers.SignUrl(
'app_default_bucket',
'/pid/attachments/object_id-download'
).AndReturn('googleusercontent.com/...-download...')
self.mox.StubOutWithMock(self.servlet, 'redirect')
path = '/p/proj/issues/attachment?aid=%s&signed_aid=signed_%d' % (
aid, aid)
_request, mr = testing_helpers.GetRequestObjects(
project=self.project, path=path,
perms=permissions.READ_ONLY_PERMISSIONSET) # includes VIEW
self.servlet.redirect(
mox.And(mox.StrContains('googleusercontent.com'),
mox.StrContains('-download')), abort=True)
self.mox.ReplayAll()
self.servlet.GatherPageData(mr)
self.mox.VerifyAll()
def testGatherPageData_Download_WithoutDisposition(self):
aid = self.attachment.attachment_id
path = '/p/proj/issues/attachment?aid=%s&signed_aid=signed_%d' % (
aid, aid)
self.mox.StubOutWithMock(gcs_helpers, 'MaybeCreateDownload')
gcs_helpers.MaybeCreateDownload(
'app_default_bucket',
'/pid/attachments/object_id',
self.attachment.filename).AndReturn(False)
self.mox.StubOutWithMock(gcs_helpers, 'SignUrl')
gcs_helpers.SignUrl(
'app_default_bucket',
'/pid/attachments/object_id'
).AndReturn('googleusercontent.com/...')
self.mox.StubOutWithMock(self.servlet, 'redirect')
_request, mr = testing_helpers.GetRequestObjects(
project=self.project, path=path,
perms=permissions.READ_ONLY_PERMISSIONSET) # includes VIEW
self.servlet.redirect(
mox.And(mox.StrContains('googleusercontent.com'),
mox.Not(mox.StrContains('-download'))), abort=True)
self.mox.ReplayAll()
self.servlet.GatherPageData(mr)
self.mox.VerifyAll()
def testGatherPageData_DownloadBadFilename(self):
aid = self.attachment.attachment_id
path = '/p/proj/issues/attachment?aid=%s&signed_aid=signed_%d' % (
aid, aid)
self.attachment.filename = '<script>alert("xsrf")</script>.txt';
safe_filename = 'attachment-%d.dat' % aid
self.mox.StubOutWithMock(gcs_helpers, 'MaybeCreateDownload')
gcs_helpers.MaybeCreateDownload(
'app_default_bucket',
'/pid/attachments/object_id',
safe_filename).AndReturn(True)
self.mox.StubOutWithMock(gcs_helpers, 'SignUrl')
gcs_helpers.SignUrl(
'app_default_bucket',
'/pid/attachments/object_id-download'
).AndReturn('googleusercontent.com/...-download...')
self.mox.StubOutWithMock(self.servlet, 'redirect')
_request, mr = testing_helpers.GetRequestObjects(
project=self.project,
path=path,
perms=permissions.READ_ONLY_PERMISSIONSET) # includes VIEW
self.servlet.redirect(mox.And(
mox.Not(mox.StrContains(self.attachment.filename)),
mox.StrContains('googleusercontent.com')), abort=True)
self.mox.ReplayAll()
self.servlet.GatherPageData(mr)
self.mox.VerifyAll()