Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1"""Test scenario for the app urls. 

2 

3## Domain 

4 

5* Users as in `conftest`, under *players* 

6* Clean slate, see `starters`. 

7* The user table 

8 

9## Acts 

10 

11Making requests with long urls and many long request arguments. 

12We follow all the url patterns defined in `control.app`, except 

13`/login` and `logout`, because they have been dealt with in 

14`test_20_users`. 

15 

16`test_long` 

17: All users fire a long url and get a 400 (bad request) response. 

18 

19`test_static` 

20: The public user 

21 

22 * fires a bare static url and fails 

23 * fires a bare static url for a favicon and fails 

24 

25`test_staticFile` 

26: The public user 

27 

28 * fires a static url for a long file name and fails 

29 * fires a static url for an existing css file but with illegal query 

30 params and fails. 

31 * fires a static url for an existing css file but with a legal but long query 

32 param and fails. 

33 * fires a static url for an existing css file with a legal and short but 

34 non-sensical query param and also fails. 

35 * fires a static url for an existing css file and succeeds. 

36 * fires a static url for an existing favicon file and succeeds. 

37 * fires a static url for a non-existing css file and fails. 

38 * fires a static url for a non-existing favicon file and fails. 

39 

40Here is a table of tests that access a url according to a specific pattern, 

41and then vary the url-parts and query string to make it illegal. 

42 

43test | url pattern 

44--- | --- 

45`test_home` | /, /index, /index.html 

46`test_info` | /info ' 

47`test_workflow` | /workflow 

48`test_task` | /api/task/{task}/{eid} 

49`test_insert` | /api/{table}/insert 

50`test_insertDetail` | /api/{table}/{eid}/{dtable}/insert 

51`test_listOpen` | /{table}/list/{eid} 

52`test_list` | /{table}/list 

53`test_delete` | /api/{table}/delete/{eid} 

54`test_deleteDetail` | /api/{table}/{masterId}/{dtable}/delete/{eid} 

55`test_item` | /api/{table}/item/{eid} 

56`test_itemTitle` | /api/{table}/item/{eid}/title 

57`test_itemDetail` | /{table}/item/{eid}/open/{dtable}/{deid} 

58`test_itemPage` | /{table}/item/{eid} 

59`test_field` | /api/{table}/item/{eid}/field/{field} 

60 

61`test_clean` 

62: Restore the database to a clean slate, because we have made a mess of it 

63 during the previous tests. 

64""" 

65 

66import pytest 

67 

68import magic # noqa 

69from conftest import USERS 

70from helpers import forall 

71from starters import start 

72from subtest import illegalize, isIllegal, assertStatus 

73from example import ( 

74 ASSESS, 

75 COMMON_CSS, 

76 COMMONX_CSS, 

77 CONTRIB, 

78 DUMMY_ID, 

79 FAV, 

80 FAVICON, 

81 FAVICON_S, 

82 FAVICON_SX, 

83 FAVICONX, 

84 ROOT, 

85 STATIC, 

86 SUBMIT_ASSESSMENT, 

87 SYSTEM, 

88 TITLE, 

89) 

90 

91startInfo = {} 

92 

93 

94@pytest.mark.usefixtures("db") 

95def test_start(clientOffice): 

96 startInfo.update(start(clientOffice=clientOffice, users=True)) 

97 

98 

99def test_long(clients): 

100 url = "/" + "a" * 1000 

101 expect = {user: 400 for user in USERS} 

102 forall(clients, expect, assertStatus, url) 

103 

104 

105def test_static(clientPublic): 

106 assertStatus(clientPublic, STATIC, 303) 

107 assertStatus(clientPublic, f"{STATIC}/", 400) 

108 assertStatus(clientPublic, f"{STATIC}{FAV}", 303) 

109 assertStatus(clientPublic, f"{STATIC}{FAV}/", 400) 

110 

111 

112def test_staticFile(clientPublic): 

113 assertStatus(clientPublic, f"{STATIC}/" + ("a" * 200) + ".html", 400) 

114 assertStatus(clientPublic, f"{COMMON_CSS}?xxx=yyy", 400) 

115 assertStatus(clientPublic, f"{COMMON_CSS}?action=" + ("a" * 200), 400) 

116 assertStatus(clientPublic, f"{COMMON_CSS}?action=" + ("a" * 10), 400) 

117 assertStatus(clientPublic, COMMON_CSS, 200) 

118 assertStatus(clientPublic, COMMONX_CSS, 303) 

119 assertStatus(clientPublic, FAVICON, 200) 

120 assertStatus(clientPublic, FAVICONX, 303) 

121 assertStatus(clientPublic, FAVICON_S, 200) 

122 assertStatus(clientPublic, FAVICON_SX, 303) 

123 

124 

125def test_home(clients): 

126 for url in ["/", "/index", "/index.html"]: 

127 illegalize(clients, url) 

128 

129 

130def test_info(clients): 

131 illegalize(clients, "/info") 

132 illegalize(clients, "/info.tsv") 

133 

134 

135@pytest.mark.parametrize( 

136 ("requestParam",), 

137 ( 

138 ("action",), 

139 ("anything",), 

140 ("assessed",), 

141 ("bulk",), 

142 ("country",), 

143 ("deid",), 

144 ("dtable",), 

145 ("eid",), 

146 ("email",), 

147 ("eppn",), 

148 ("field",), 

149 ("filepath",), 

150 ("groups",), 

151 ("masterId",), 

152 ("method",), 

153 ("reverse",), 

154 ("reviewed",), 

155 ("sortcol",), 

156 ("table",), 

157 ("task",), 

158 ), 

159) 

160def test_info_params(clients, requestParam): 

161 hack = "udhdu%27%3E%3Cscript%3Ealert(/XSS/)%3C/script%3Ec8dik" 

162 isIllegal(clients, f"/info?{requestParam}={hack}") 

163 

164 

165def test_workflow(clients): 

166 url = "/workflow" 

167 expect = {user: 302 if user in {SYSTEM, ROOT} else 303 for user in USERS} 

168 forall(clients, expect, assertStatus, url) 

169 illegalize(clients, url) 

170 

171 

172def test_task(clients): 

173 illegalize(clients, "/api/task/{task}/{eid}", task=SUBMIT_ASSESSMENT, eid=DUMMY_ID) 

174 

175 

176def test_insert(clients): 

177 illegalize(clients, "/api/{table}/insert", table=CONTRIB) 

178 

179 

180def test_insertDetail(clients): 

181 illegalize( 

182 clients, 

183 "/api/{table}/{eid}/{dtable}/insert", 

184 table=CONTRIB, 

185 eid=DUMMY_ID, 

186 dtable=ASSESS, 

187 ) 

188 

189 

190def test_listOpen(clients): 

191 illegalize(clients, "/{table}/list/{eid}", table=CONTRIB, eid=DUMMY_ID) 

192 

193 

194def test_list(clients): 

195 illegalize(clients, "/{table}/list", table=CONTRIB) 

196 

197 

198def test_delete(clients): 

199 illegalize(clients, "/api/{table}/delete/{eid}", table=CONTRIB, eid=DUMMY_ID) 

200 

201 

202def test_deleteDetail(clients): 

203 illegalize( 

204 clients, 

205 "/api/{table}/{masterId}/{dtable}/delete/{eid}", 

206 table=CONTRIB, 

207 masterId=DUMMY_ID, 

208 dtable=ASSESS, 

209 eid=DUMMY_ID, 

210 ) 

211 

212 

213def test_item(clients): 

214 illegalize(clients, "/api/{table}/item/{eid}", table=CONTRIB, eid=DUMMY_ID) 

215 

216 

217def test_itemTitle(clients): 

218 illegalize(clients, "/api/{table}/item/{eid}/title", table=CONTRIB, eid=DUMMY_ID) 

219 

220 

221def test_itemDetail(clients): 

222 illegalize( 

223 clients, 

224 "/{table}/item/{eid}/open/{dtable}/{deid}", 

225 table=CONTRIB, 

226 eid=DUMMY_ID, 

227 dtable=ASSESS, 

228 deid=DUMMY_ID, 

229 ) 

230 

231 

232def test_itemPage(clients): 

233 illegalize(clients, "/{table}/item/{eid}", table=CONTRIB, eid=DUMMY_ID) 

234 

235 

236def test_field(clients): 

237 illegalize( 

238 clients, 

239 "/api/{table}/item/{eid}/field/{field}", 

240 table=CONTRIB, 

241 eid=DUMMY_ID, 

242 field=TITLE, 

243 )