Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
webssh
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
郑天保
webssh
Commits
58feb5e7
Commit
58feb5e7
authored
Aug 28, 2018
by
Sheng
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Enable xsrf for testing
parent
688ca78b
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
60 additions
and
119 deletions
+60
-119
test_app.py
tests/test_app.py
+60
-119
No files found.
tests/test_app.py
View file @
58feb5e7
...
...
@@ -29,23 +29,23 @@ class TestApp(AsyncHTTPTestCase):
running
=
[
True
]
sshserver_port
=
2200
body
=
'hostname=127.0.0.1&port={}&username=robey&password=foo'
.
format
(
sshserver_port
)
# noqa
body
=
'hostname=127.0.0.1&port={}&_xsrf=yummy&username=robey&password=foo'
.
format
(
sshserver_port
)
# noqa
headers
=
{
'Cookie'
:
'_xsrf=yummy'
}
def
get_app
(
self
):
self
.
body_dict
=
{
'hostname'
:
'127.0.0.1'
,
'port'
:
str
(
self
.
sshserver_port
),
'username'
:
'robey'
,
'password'
:
''
'password'
:
''
,
'_xsrf'
:
'yummy'
}
loop
=
self
.
io_loop
options
.
debug
=
False
options
.
policy
=
random
.
choice
([
'warning'
,
'autoadd'
])
options
.
hostFile
=
''
options
.
sysHostFile
=
''
settings
=
get_app_settings
(
options
)
settings
.
update
(
xsrf_cookies
=
False
)
app
=
make_app
(
make_handlers
(
loop
,
options
),
settings
)
app
=
make_app
(
make_handlers
(
loop
,
options
),
get_app_settings
(
options
))
return
app
@classmethod
...
...
@@ -73,82 +73,87 @@ class TestApp(AsyncHTTPTestCase):
else
:
self
.
assertIn
(
b
'Bad Request'
,
whole
)
def
sync_post
(
self
,
body
,
headers
=
{},
url
=
'/'
,
method
=
'POST'
):
headers
.
update
(
self
.
headers
)
return
self
.
fetch
(
url
,
method
=
method
,
body
=
body
,
headers
=
headers
)
def
async_post
(
self
,
url
,
body
,
headers
=
{},
method
=
'POST'
):
client
=
self
.
get_http_client
()
headers
.
update
(
self
.
headers
)
return
client
.
fetch
(
url
,
method
=
method
,
body
=
body
,
headers
=
headers
)
def
test_app_with_invalid_form_for_missing_argument
(
self
):
response
=
self
.
fetch
(
'/'
)
self
.
assertEqual
(
response
.
code
,
200
)
body
=
'port=7000&username=admin&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'port=7000&username=admin&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Missing argument hostname'
,
response
.
body
)
body
=
'hostname=127.0.0.1&username=admin&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&username=admin&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Missing argument port'
,
response
.
body
)
body
=
'hostname=127.0.0.1&port=7000&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&port=7000&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Missing argument username'
,
response
.
body
)
body
=
'hostname=&port=&username=&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=&port=&username=&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Missing value hostname'
,
response
.
body
)
body
=
'hostname=127.0.0.1&port=&username=&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&port=&username=&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Missing value port'
,
response
.
body
)
body
=
'hostname=127.0.0.1&port=7000&username=&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&port=7000&username=&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Missing value username'
,
response
.
body
)
def
test_app_with_invalid_form_for_invalid_value
(
self
):
body
=
'hostname=127.0.0&port=22&username=&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0&port=22&username=&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Invalid hostname'
,
response
.
body
)
body
=
'hostname=http://www.googe.com&port=22&username=&password
'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=http://www.googe.com&port=22&username=&password
&_xsrf=yummy'
# noqa
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Invalid hostname'
,
response
.
body
)
body
=
'hostname=127.0.0.1&port=port&username=&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&port=port&username=&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Invalid port'
,
response
.
body
)
body
=
'hostname=127.0.0.1&port=70000&username=&password'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&port=70000&username=&password
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
my_assertIn
(
b
'Invalid port'
,
response
.
body
)
def
test_app_with_wrong_hostname_ip
(
self
):
body
=
'hostname=127.0.0.1&port=7000&username=admin'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&port=7000&username=admin
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
assertEqual
(
response
.
code
,
200
)
self
.
assertIn
(
b
'Unable to connect to'
,
response
.
body
)
def
test_app_with_wrong_hostname_domain
(
self
):
body
=
'hostname=xxxxxxxxxxxx&port=7000&username=admin'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=xxxxxxxxxxxx&port=7000&username=admin
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
assertEqual
(
response
.
code
,
200
)
self
.
assertIn
(
b
'Unable to connect to'
,
response
.
body
)
def
test_app_with_wrong_port
(
self
):
body
=
'hostname=127.0.0.1&port=7000&username=admin'
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
body
)
body
=
'hostname=127.0.0.1&port=7000&username=admin
&_xsrf=yummy
'
response
=
self
.
sync_post
(
body
)
self
.
assertEqual
(
response
.
code
,
200
)
self
.
assertIn
(
b
'Unable to connect to'
,
response
.
body
)
def
test_app_with_wrong_credentials
(
self
):
response
=
self
.
fetch
(
'/'
)
self
.
assertEqual
(
response
.
code
,
200
)
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
self
.
body
+
's'
)
response
=
self
.
sync_post
(
self
.
body
+
's'
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'encoding'
])
self
.
assertIsNone
(
data
[
'id'
])
self
.
assertIn
(
'Authentication failed.'
,
data
[
'status'
])
def
test_app_with_correct_credentials
(
self
):
response
=
self
.
fetch
(
'/'
)
self
.
assertEqual
(
response
.
code
,
200
)
response
=
self
.
fetch
(
'/'
,
method
=
'POST'
,
body
=
self
.
body
)
response
=
self
.
sync_post
(
self
.
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -157,11 +162,7 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_with_correct_credentials_timeout
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
self
.
body
)
response
=
yield
self
.
async_post
(
url
,
self
.
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -178,11 +179,7 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_with_correct_credentials_user_robey
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
self
.
body
)
response
=
yield
self
.
async_post
(
url
,
self
.
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -198,11 +195,7 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_with_correct_credentials_but_without_id_argument
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
self
.
body
)
response
=
yield
self
.
async_post
(
url
,
self
.
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -218,11 +211,7 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_with_correct_credentials_but_empty_id
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
self
.
body
)
response
=
yield
self
.
async_post
(
url
,
self
.
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -238,11 +227,7 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_with_correct_credentials_but_wrong_id
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
self
.
body
)
response
=
yield
self
.
async_post
(
url
,
self
.
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -257,13 +242,9 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_with_correct_credentials_user_bar
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
body
=
self
.
body
.
replace
(
'robey'
,
'bar'
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
body
)
url
=
self
.
get_url
(
'/'
)
response
=
yield
self
.
async_post
(
url
,
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -307,14 +288,10 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_auth_with_valid_pubkey_by_urlencoded_form
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
privatekey
=
read_file
(
make_tests_data_path
(
'user_rsa_key'
))
self
.
body_dict
.
update
(
privatekey
=
privatekey
)
body
=
urlencode
(
self
.
body_dict
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
body
)
response
=
yield
self
.
async_post
(
url
,
body
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -330,10 +307,6 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_auth_with_valid_pubkey_by_multipart_form
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
privatekey
=
read_file
(
make_tests_data_path
(
'user_rsa_key'
))
files
=
[(
'privatekey'
,
'user_rsa_key'
,
privatekey
)]
content_type
,
body
=
encode_multipart_formdata
(
self
.
body_dict
.
items
(),
...
...
@@ -341,8 +314,7 @@ class TestApp(AsyncHTTPTestCase):
headers
=
{
'Content-Type'
:
content_type
,
'content-length'
:
str
(
len
(
body
))
}
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
response
=
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'status'
])
self
.
assertIsNotNone
(
data
[
'id'
])
...
...
@@ -358,10 +330,6 @@ class TestApp(AsyncHTTPTestCase):
@tornado.testing.gen_test
def
test_app_auth_with_invalid_pubkey_for_user_robey
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
privatekey
=
'h'
*
1024
files
=
[(
'privatekey'
,
'user_rsa_key'
,
privatekey
)]
content_type
,
body
=
encode_multipart_formdata
(
self
.
body_dict
.
items
(),
...
...
@@ -371,22 +339,16 @@ class TestApp(AsyncHTTPTestCase):
}
if
swallow_http_errors
:
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
response
=
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
self
.
assertIn
(
b
'Invalid private key'
,
response
.
body
)
else
:
with
self
.
assertRaises
(
HTTPError
)
as
ctx
:
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
self
.
assertIn
(
'Bad Request'
,
ctx
.
exception
.
message
)
@tornado.testing.gen_test
def
test_app_auth_with_pubkey_exceeds_key_max_size
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
privatekey
=
'h'
*
(
handler
.
KEY_MAX_SIZE
*
2
)
files
=
[(
'privatekey'
,
'user_rsa_key'
,
privatekey
)]
content_type
,
body
=
encode_multipart_formdata
(
self
.
body_dict
.
items
(),
...
...
@@ -395,22 +357,16 @@ class TestApp(AsyncHTTPTestCase):
'Content-Type'
:
content_type
,
'content-length'
:
str
(
len
(
body
))
}
if
swallow_http_errors
:
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
response
=
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
self
.
assertIn
(
b
'Invalid private key'
,
response
.
body
)
else
:
with
self
.
assertRaises
(
HTTPError
)
as
ctx
:
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
self
.
assertIn
(
'Bad Request'
,
ctx
.
exception
.
message
)
@tornado.testing.gen_test
def
test_app_auth_with_pubkey_cannot_be_decoded_by_multipart_form
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
privatekey
=
'h'
*
1024
files
=
[(
'privatekey'
,
'user_rsa_key'
,
privatekey
)]
content_type
,
body
=
encode_multipart_formdata
(
self
.
body_dict
.
items
(),
...
...
@@ -422,22 +378,16 @@ class TestApp(AsyncHTTPTestCase):
'Content-Type'
:
content_type
,
'content-length'
:
str
(
len
(
body
))
}
if
swallow_http_errors
:
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
response
=
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
self
.
assertIn
(
b
'Invalid unicode'
,
response
.
body
)
else
:
with
self
.
assertRaises
(
HTTPError
)
as
ctx
:
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
self
.
assertIn
(
'Bad Request'
,
ctx
.
exception
.
message
)
@tornado.testing.gen_test
def
test_app_post_form_with_large_body_size_by_multipart_form
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
privatekey
=
'h'
*
(
2
*
max_body_size
)
files
=
[(
'privatekey'
,
'user_rsa_key'
,
privatekey
)]
content_type
,
body
=
encode_multipart_formdata
(
self
.
body_dict
.
items
(),
...
...
@@ -447,33 +397,24 @@ class TestApp(AsyncHTTPTestCase):
}
with
self
.
assertRaises
(
HTTPError
)
as
ctx
:
yield
client
.
fetch
(
url
,
method
=
'POST'
,
headers
=
headers
,
body
=
body
)
yield
self
.
async_post
(
url
,
body
,
headers
=
headers
)
self
.
assertIn
(
'Bad Request'
,
ctx
.
exception
.
message
)
@tornado.testing.gen_test
def
test_app_post_form_with_large_body_size_by_urlencoded_form
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
privatekey
=
'h'
*
(
2
*
max_body_size
)
body
=
self
.
body
+
'&privatekey='
+
privatekey
with
self
.
assertRaises
(
HTTPError
)
as
ctx
:
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
body
)
yield
self
.
async_post
(
url
,
body
)
self
.
assertIn
(
'Bad Request'
,
ctx
.
exception
.
message
)
@tornado.testing.gen_test
def
test_app_with_user_keyonly_for_bad_authentication_type
(
self
):
url
=
self
.
get_url
(
'/'
)
client
=
self
.
get_http_client
()
response
=
yield
client
.
fetch
(
url
)
self
.
assertEqual
(
response
.
code
,
200
)
self
.
body_dict
.
update
(
username
=
'keyonly'
,
password
=
'foo'
)
body
=
urlencode
(
self
.
body_dict
)
response
=
yield
client
.
fetch
(
url
,
method
=
'POST'
,
body
=
body
)
response
=
yield
self
.
async_post
(
url
,
body
)
self
.
assertEqual
(
response
.
code
,
200
)
data
=
json
.
loads
(
to_str
(
response
.
body
))
self
.
assertIsNone
(
data
[
'id'
])
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment