Gitiles
Code Review Sign In
gerrit.avm99963.com / monorail-avm99963 / f19ea43ad9f5ebbfe77e0f2bc717b6bf6b74a9e0 / . / framework / test / xsrf_test.py
blob: 1039ab64e7c4a15c2c4185fc843e07c0bacecb56 [file] [log] [blame]
Adrià Vilanova Martínezf19ea432024-01-23 20:20:52 +0100[diff] [blame^]1# Copyright 2016 The Chromium Authors
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
Copybara854996b2021-09-07 19:36:02 +0000[diff] [blame]4
5"""Tests for XSRF utility functions."""
6from __future__ import print_function
7from __future__ import division
8from __future__ import absolute_import
9
10import time
11import unittest
12
13from mock import patch
14
15from google.appengine.ext import testbed
16
17import settings
18from framework import xsrf
19
20
21class XsrfTest(unittest.TestCase):
22 """Set of unit tests for blocking XSRF attacks."""
23
24 def setUp(self):
25 self.testbed = testbed.Testbed()
26 self.testbed.activate()
27 self.testbed.init_memcache_stub()
28 self.testbed.init_datastore_v3_stub()
29
30 def tearDown(self):
31 self.testbed.deactivate()
32
33 def testGenerateToken_AnonUserGetsAToken(self):
34 self.assertNotEqual('', xsrf.GenerateToken(0, '/path'))
35
36 def testGenerateToken_DifferentUsersGetDifferentTokens(self):
37 self.assertNotEqual(
38 xsrf.GenerateToken(111, '/path'),
39 xsrf.GenerateToken(222, '/path'))
40
41 self.assertNotEqual(
42 xsrf.GenerateToken(111, '/path'),
43 xsrf.GenerateToken(0, '/path'))
44
45 def testGenerateToken_DifferentPathsGetDifferentTokens(self):
46 self.assertNotEqual(
47 xsrf.GenerateToken(111, '/path/one'),
48 xsrf.GenerateToken(111, '/path/two'))
49
50 def testValidToken(self):
51 token = xsrf.GenerateToken(111, '/path')
52 xsrf.ValidateToken(token, 111, '/path') # no exception raised
53
54 def testMalformedToken(self):
55 self.assertRaises(
56 xsrf.TokenIncorrect,
57 xsrf.ValidateToken, 'bad', 111, '/path')
58 self.assertRaises(
59 xsrf.TokenIncorrect,
60 xsrf.ValidateToken, '', 111, '/path')
61
62 self.assertRaises(
63 xsrf.TokenIncorrect,
64 xsrf.ValidateToken, '098a08fe08b08c08a05e:9721973123', 111, '/path')
65
66 def testWrongUser(self):
67 token = xsrf.GenerateToken(111, '/path')
68 self.assertRaises(
69 xsrf.TokenIncorrect,
70 xsrf.ValidateToken, token, 222, '/path')
71
72 def testWrongPath(self):
73 token = xsrf.GenerateToken(111, '/path/one')
74 self.assertRaises(
75 xsrf.TokenIncorrect,
76 xsrf.ValidateToken, token, 111, '/path/two')
77
78 @patch('time.time')
79 def testValidateToken_Expiration(self, mockTime):
80 test_time = 1526671379
81 mockTime.return_value = test_time
82 token = xsrf.GenerateToken(111, '/path')
83 xsrf.ValidateToken(token, 111, '/path')
84
85 mockTime.return_value = test_time + 1
86 xsrf.ValidateToken(token, 111, '/path')
87
88 mockTime.return_value = test_time + xsrf.TOKEN_TIMEOUT_SEC
89 xsrf.ValidateToken(token, 111, '/path')
90
91 mockTime.return_value = test_time + xsrf.TOKEN_TIMEOUT_SEC + 1
92 self.assertRaises(
93 xsrf.TokenIncorrect,
94 xsrf.ValidateToken, token, 11, '/path')
95
96 @patch('time.time')
97 def testValidateToken_Future(self, mockTime):
98 """We reject tokens from the future."""
99 test_time = 1526671379
100 mockTime.return_value = test_time
101 token = xsrf.GenerateToken(111, '/path')
102 xsrf.ValidateToken(token, 111, '/path')
103
104 # The clock of the GAE instance doing the checking might be slightly slow.
105 mockTime.return_value = test_time - 1
106 xsrf.ValidateToken(token, 111, '/path')
107
108 # But, if the difference is too much, someone is trying to fake a token.
109 mockTime.return_value = test_time - xsrf.CLOCK_SKEW_SEC - 1
110 self.assertRaises(
111 xsrf.TokenIncorrect,
112 xsrf.ValidateToken, token, 111, '/path')