idZddlZddlmcmZddlZddlZ ddl Z dZ ddZ ddZ dZdZdZd Zd Zd Zd Zd ZdZdZdS)zD Sprint 19 Tests: auth/login, security headers, request size limit. Nzhttp://127.0.0.1:8788ctjt|z}|r0|D]\}}|||tj|d5}tj| |j t|j fcdddS#1swxYwYdS)N timeout) urllibrequestRequestBASEitems add_headerurlopenjsonloadsreadstatusdictheaders)pathrreqkvrs 0/home/ubuntu/hermes-webui/tests/test_sprint19.pygetr s .  - -C!MMOO ! !DAq NN1a   R  0 0?Az!&&((##QXtAI>??????????????????s;ACC C ctj|pi}tjt |z|ddi}|r0|D]\}}||| tj |d5}tj | |j t|jfcdddS#1swxYwYdS#tjj$rJ}tj | |jt|jfcYd}~Sd}~wwxYw)Nz Content-Typezapplication/json)datarrr)rdumpsencoderrr r r r r rrrrrerror HTTPErrorcode) rbodyrrrrrres rpostr$s :djb ! ! ( ( * *D . 4)79K(L ! N NC!MMOO ! !DAq NN1a = ^ # #C # 4 4 C:affhh''4 ??B C C C C C C C C C C C C C C C C C C < !===z!&&((##QVT!)__<<<<<<<=sC!D)AC6) D6C::D=C:>DE!?EE!E!cztd\}}}d}||k}|stjd|fd||fdtjvstj|rtj|ndtj|dz}dd|iz}ttj|d x}}|d }d }||u}|sltjd |fd ||ftj|tj|dz} dd| iz} ttj| d x}x}}d S)z5Auth should be disabled by default (no password set)./api/auth/status==z%(py0)s == %(py3)srpy0py3assert %(py5)spy5N auth_enabledFisz%(py1)s is %(py4)spy1py4assert %(py6)spy6 r @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _safereprAssertionError_format_explanation dr_ @py_assert2 @py_assert1 @py_format4 @py_format6 @py_assert0 @py_assert3 @py_format5 @py_format7s rtest_auth_status_disabledrM"s)**LAvq6S=6S66S ^ %%  %%%%%%%%%% %%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%ctdddi\}}}d}||k}|stjd|fd||fdtjvstj|rtj|ndtj|dz}d d |iz}ttj|d x}}|d }d }||u}|sltjd|fd||ftj|tj|dz} dd| iz} ttj| d x}x}}d S)z8Login should succeed trivially when auth is not enabled.z/api/auth/loginpasswordanythingr'r(r*rr+r.r/NokTr1r3r4r7r8) r$r:r;r<r=r>r?r@rArBs rtest_login_when_auth_disabledrS)s)J +CDDLAvq6S=6S66S T7d7d?7d7drNctd\}}}d}||k}|stjd|fd||fdtjvstj|rtj|ndtj|dz}dd|iz}ttj|d x}}d }||v}|stjd |fd ||ftj|d tjvstj|rtj|nd dz}dd|iz}ttj|d x}}d S)z>When auth is disabled, all routes should work without cookies. /api/sessionsr'r(r*rr+r.r/Nsessionsinz%(py1)s in %(py3)srCr5r-r9rCrrDrErFrGrHrIs r'test_all_routes_accessible_without_authr\0s''LAvq6S=6S66S :?::rNc"tjtdz}tj|d5}|}|j}d}||k}|stj d|fd||fdtj vstj |rtj |ndtj |tj |dz}d d |iz}ttj|d x}x}}d }||v} | stj d | fd||ftj |dtj vstj |rtj |nddz} dd| iz}ttj|d x}} d}||v} | stj d | fd||ftj |dtj vstj |rtj |nddz} dd| iz}ttj|d x}} d d d d S#1swxYwYd S)z-GET /login should return the login page HTML.z/loginrrr'r()z.%(py2)s {%(py2)s = %(py0)s.status } == %(py5)sr)r,py2r/zassert %(py7)spy7NzSign inrWrYhtmlrZr.r/Hermes)rrr r r rdecoderr:r;r<r=r>r?r@rA) rrr`rF @py_assert4rJrH @py_format8rIrErGs rtest_login_page_servedre7s .  1 1C   R  0 0 Avvxx  x3x3x3qqx3 yD          yD     y           D     D                           x4x4x44                   s H.JJ JcFtd\}}}d}||k}|stjd|fd||fdtjvstj|rtj|ndtj|dz}dd|iz}ttj|d x}}|j}d }||}d } || k} | stjd| fd || fd tjvstj|rtj|nd tj|tj|tj|tj| dz} dd| iz} ttj| d x}x}x}x} } |j}d}||}d} || k} | stjd| fd || fd tjvstj|rtj|nd tj|tj|tj|tj| dz} dd| iz} ttj| d x}x}x}x} } |j}d}||}d} || k} | stjd| fd || fd tjvstj|rtj|nd tj|tj|tj|tj| dz} dd| iz} ttj| d x}x}x}x} } d S)z/JSON responses should include security headers.r&r'r(r*rr+r.r/NX-Content-Type-OptionsnosniffzI%(py6)s {%(py6)s = %(py2)s {%(py2)s = %(py0)s.get }(%(py4)s) } == %(py9)srr,r^r6r8py9assert %(py11)spy11zX-Frame-OptionsDENYzReferrer-Policyz same-originr9 rCrrrErFrGrHrJ @py_assert5 @py_assert8 @py_assert7 @py_format10 @py_format12s rtest_security_headers_on_jsonruCs;/00Avw6S=6S66S ;=/=;;/ 0 0=I= 0I ========== 0I============7=====7======;====/==== 0====I=============================== ;3(3;;( ) )3V3 )V 3333333333 )V3333333333337333337333333;3333(3333 )3333V3333333333333333333333333333333 ;:(:;;( ) ):]: )] :::::::::: )]::::::::::::7:::::7::::::;::::(:::: )::::]:::::::::::::::::::::::::::::::::rNcftd\}}}d}||k}|stjd|fd||fdtjvstj|rtj|ndtj|dz}dd|iz}ttj|d x}}|j}d }||}d } || k} | stjd| fd || fd tjvstj|rtj|nd tj|tj|tj|tj| dz} dd| iz} ttj| d x}x}x}x} } d S)z0Health endpoint should include security headers.z/healthr'r(r*rr+r.r/Nrgrhrirrjrlrmr9ros rtest_security_headers_on_healthrwLsYAvw6S=6S66S ;=/=;;/ 0 0=I= 0I ========== 0I============7=====7======;====/==== 0====I=================================rNctd\}}}|j}d}||}d}||k}|stjd|fd||fdtjvstj|rtj|ndtj|tj|tj|tj|dz}dd |iz} ttj| d x}x}x}x}}d S) z2API responses should have Cache-Control: no-store.rUz Cache-Controlzno-storer(rirrjrlrmNr9) rCrrrFrJrprqrrrsrts rtest_cache_control_no_storerySs8_--Avw ;55;; ' '5:5 ': 5555555555 ':5555555555557555557555555;55555555 '5555:555555555555555555555555555555555rNctd\}}}d}||k}|stjd|fd||fdtjvstj|rtj|ndtj|dz}dd|iz}ttj|d x}}d }||v}|stjd |fd ||ftj|d tjvstj|rtj|nd dz}dd|iz}ttj|d x}}d S)z=GET /api/settings must never expose the stored password hash. /api/settingsr'r(r*rr+r.r/N password_hashnot inz%(py1)s not in %(py3)srCrZr9r[s r'test_settings_password_hash_not_exposedr[s''LAvq6S=6S66S #?! ##########?!#####?###########!#####!#############################rNcTtd\}}}tdddi\}}}d}||k}|stjd|fd||fdt jvstj|rtj|ndtj|dz}d d |iz}ttj |d x}}td\}}}d } | |v}|stjd |fd| |ftj| dt jvstj|rtj|nddz}d d |iz}ttj |d x} }d} | |v}|stjd |fd| |ftj| dt jvstj|rtj|nddz}d d |iz}ttj |d x} }d S)z1Saving settings should not break existing fields.r{send_keyenterr'r(r*rr+r.r/N default_modelrWrYupdatedrZdefault_workspace) rr$r:r;r<r=r>r?r@rA) currentrDrCrrErFrGrHrrIs r)test_settings_save_preserves_other_fieldsrbs((MGQ*g)>??LAvq6S=6S66S((MGQ %?g %%%%%%%%%%?g%%%%%?%%%%%%%%%%%g%%%%%g%%%%%%%%%%%%%%%%%%%%%%%%%%% ) ' )))))))))) '))))) )))))))))))')))))')))))))))))))))))))))))))))))rNctddditd\}}}d}||k}|stjd|fd||fdt jvstj|rtj|ndtj|dz}d d |iz}ttj |d x}}d}||v}|stjd |fd ||ftj|dt jvstj|rtj|nddz}d d |iz}ttj |d x}}d S)zIPOST /api/settings with password_hash must not overwrite the stored hash.r{r|@deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefr'r(r*rr+r.r/Nr}rrrZ) r$rr:r;r<r=r>r?r@rA)rrrDrErFrGrHrIs r1test_settings_password_hash_not_directly_settableros ?N;<<<_--GVQ6S=6S66S )?' ))))))))))?')))))?)))))))))))')))))')))))))))))))))))))))))))))))rN)N)NN)__doc__builtinsr<_pytest.assertion.rewrite assertionrewriter:r urllib.errorrurllib.requestr rr$rMrSr\rerurwryrrrrNrrs))))))))))))???? = = = = &&&   ;;;>>>666$$$ * * ******rN