Module test_00_app10
Test scenario for the app urls.
Domain
Acts
Making requests with long urls and many long request arguments.
We follow all the url patterns defined in control.app, except
/login and logout, because they have been dealt with in
test_20_users.
test_long()- All users fire a long url and get a 400 (bad request) response.
test_static()-
The public user
- fires a bare static url and fails
- fires a bare static url for a favicon and fails
test_staticFile()-
The public user
- fires a static url for a long file name and fails
- fires a static url for an existing css file but with illegal query params and fails.
- fires a static url for an existing css file but with a legal but long query param and fails.
- fires a static url for an existing css file with a legal and short but non-sensical query param and also fails.
- fires a static url for an existing css file and succeeds.
- fires a static url for an existing favicon file and succeeds.
- fires a static url for a non-existing css file and fails.
- fires a static url for a non-existing favicon file and fails.
Here is a table of tests that access a url according to a specific pattern, and then vary the url-parts and query string to make it illegal.
| test | url pattern |
|---|---|
test_home() |
/, /index, /index.html |
test_info() |
/info ' |
test_workflow() |
/workflow |
test_task() |
/api/task/{task}/{eid} |
test_insert() |
/api/{table}/insert |
test_insertDetail() |
/api/{table}/{eid}/{dtable}/insert |
test_listOpen() |
/{table}/list/{eid} |
test_list() |
/{table}/list |
test_delete() |
/api/{table}/delete/{eid} |
test_deleteDetail() |
/api/{table}/{masterId}/{dtable}/delete/{eid} |
test_item() |
/api/{table}/item/{eid} |
test_itemTitle() |
/api/{table}/item/{eid}/title |
test_itemDetail() |
/{table}/item/{eid}/open/{dtable}/{deid} |
test_itemPage() |
/{table}/item/{eid} |
test_field() |
/api/{table}/item/{eid}/field/{field} |
test_clean- Restore the database to a clean slate, because we have made a mess of it during the previous tests.
Expand source code
"""Test scenario for the app urls.
## Domain
* Users as in `conftest`, under *players*
* Clean slate, see `starters`.
* The user table
## Acts
Making requests with long urls and many long request arguments.
We follow all the url patterns defined in `control.app`, except
`/login` and `logout`, because they have been dealt with in
`test_20_users`.
`test_long`
: All users fire a long url and get a 400 (bad request) response.
`test_static`
: The public user
* fires a bare static url and fails
* fires a bare static url for a favicon and fails
`test_staticFile`
: The public user
* fires a static url for a long file name and fails
* fires a static url for an existing css file but with illegal query
params and fails.
* fires a static url for an existing css file but with a legal but long query
param and fails.
* fires a static url for an existing css file with a legal and short but
non-sensical query param and also fails.
* fires a static url for an existing css file and succeeds.
* fires a static url for an existing favicon file and succeeds.
* fires a static url for a non-existing css file and fails.
* fires a static url for a non-existing favicon file and fails.
Here is a table of tests that access a url according to a specific pattern,
and then vary the url-parts and query string to make it illegal.
test | url pattern
--- | ---
`test_home` | /, /index, /index.html
`test_info` | /info '
`test_workflow` | /workflow
`test_task` | /api/task/{task}/{eid}
`test_insert` | /api/{table}/insert
`test_insertDetail` | /api/{table}/{eid}/{dtable}/insert
`test_listOpen` | /{table}/list/{eid}
`test_list` | /{table}/list
`test_delete` | /api/{table}/delete/{eid}
`test_deleteDetail` | /api/{table}/{masterId}/{dtable}/delete/{eid}
`test_item` | /api/{table}/item/{eid}
`test_itemTitle` | /api/{table}/item/{eid}/title
`test_itemDetail` | /{table}/item/{eid}/open/{dtable}/{deid}
`test_itemPage` | /{table}/item/{eid}
`test_field` | /api/{table}/item/{eid}/field/{field}
`test_clean`
: Restore the database to a clean slate, because we have made a mess of it
during the previous tests.
"""
import pytest
import magic # noqa
from conftest import USERS
from helpers import forall
from starters import start
from subtest import illegalize, isIllegal, assertStatus
from example import (
ASSESS,
COMMON_CSS,
COMMONX_CSS,
CONTRIB,
DUMMY_ID,
FAV,
FAVICON,
FAVICON_S,
FAVICON_SX,
FAVICONX,
ROOT,
STATIC,
SUBMIT_ASSESSMENT,
SYSTEM,
TITLE,
)
startInfo = {}
@pytest.mark.usefixtures("db")
def test_start(clientOffice):
startInfo.update(start(clientOffice=clientOffice, users=True))
def test_long(clients):
url = "/" + "a" * 1000
expect = {user: 400 for user in USERS}
forall(clients, expect, assertStatus, url)
def test_static(clientPublic):
assertStatus(clientPublic, STATIC, 303)
assertStatus(clientPublic, f"{STATIC}/", 400)
assertStatus(clientPublic, f"{STATIC}{FAV}", 303)
assertStatus(clientPublic, f"{STATIC}{FAV}/", 400)
def test_staticFile(clientPublic):
assertStatus(clientPublic, f"{STATIC}/" + ("a" * 200) + ".html", 400)
assertStatus(clientPublic, f"{COMMON_CSS}?xxx=yyy", 400)
assertStatus(clientPublic, f"{COMMON_CSS}?action=" + ("a" * 200), 400)
assertStatus(clientPublic, f"{COMMON_CSS}?action=" + ("a" * 10), 400)
assertStatus(clientPublic, COMMON_CSS, 200)
assertStatus(clientPublic, COMMONX_CSS, 303)
assertStatus(clientPublic, FAVICON, 200)
assertStatus(clientPublic, FAVICONX, 303)
assertStatus(clientPublic, FAVICON_S, 200)
assertStatus(clientPublic, FAVICON_SX, 303)
def test_home(clients):
for url in ["/", "/index", "/index.html"]:
illegalize(clients, url)
def test_info(clients):
illegalize(clients, "/info")
illegalize(clients, "/info.tsv")
@pytest.mark.parametrize(
("requestParam",),
(
("action",),
("anything",),
("assessed",),
("bulk",),
("country",),
("deid",),
("dtable",),
("eid",),
("email",),
("eppn",),
("field",),
("filepath",),
("groups",),
("masterId",),
("method",),
("reverse",),
("reviewed",),
("sortcol",),
("table",),
("task",),
),
)
def test_info_params(clients, requestParam):
hack = "udhdu%27%3E%3Cscript%3Ealert(/XSS/)%3C/script%3Ec8dik"
isIllegal(clients, f"/info?{requestParam}={hack}")
def test_workflow(clients):
url = "/workflow"
expect = {user: 302 if user in {SYSTEM, ROOT} else 303 for user in USERS}
forall(clients, expect, assertStatus, url)
illegalize(clients, url)
def test_task(clients):
illegalize(clients, "/api/task/{task}/{eid}", task=SUBMIT_ASSESSMENT, eid=DUMMY_ID)
def test_insert(clients):
illegalize(clients, "/api/{table}/insert", table=CONTRIB)
def test_insertDetail(clients):
illegalize(
clients,
"/api/{table}/{eid}/{dtable}/insert",
table=CONTRIB,
eid=DUMMY_ID,
dtable=ASSESS,
)
def test_listOpen(clients):
illegalize(clients, "/{table}/list/{eid}", table=CONTRIB, eid=DUMMY_ID)
def test_list(clients):
illegalize(clients, "/{table}/list", table=CONTRIB)
def test_delete(clients):
illegalize(clients, "/api/{table}/delete/{eid}", table=CONTRIB, eid=DUMMY_ID)
def test_deleteDetail(clients):
illegalize(
clients,
"/api/{table}/{masterId}/{dtable}/delete/{eid}",
table=CONTRIB,
masterId=DUMMY_ID,
dtable=ASSESS,
eid=DUMMY_ID,
)
def test_item(clients):
illegalize(clients, "/api/{table}/item/{eid}", table=CONTRIB, eid=DUMMY_ID)
def test_itemTitle(clients):
illegalize(clients, "/api/{table}/item/{eid}/title", table=CONTRIB, eid=DUMMY_ID)
def test_itemDetail(clients):
illegalize(
clients,
"/{table}/item/{eid}/open/{dtable}/{deid}",
table=CONTRIB,
eid=DUMMY_ID,
dtable=ASSESS,
deid=DUMMY_ID,
)
def test_itemPage(clients):
illegalize(clients, "/{table}/item/{eid}", table=CONTRIB, eid=DUMMY_ID)
def test_field(clients):
illegalize(
clients,
"/api/{table}/item/{eid}/field/{field}",
table=CONTRIB,
eid=DUMMY_ID,
field=TITLE,
)Functions
def test_delete(clients)-
Expand source code
def test_delete(clients): illegalize(clients, "/api/{table}/delete/{eid}", table=CONTRIB, eid=DUMMY_ID) def test_deleteDetail(clients)-
Expand source code
def test_deleteDetail(clients): illegalize( clients, "/api/{table}/{masterId}/{dtable}/delete/{eid}", table=CONTRIB, masterId=DUMMY_ID, dtable=ASSESS, eid=DUMMY_ID, ) def test_field(clients)-
Expand source code
def test_field(clients): illegalize( clients, "/api/{table}/item/{eid}/field/{field}", table=CONTRIB, eid=DUMMY_ID, field=TITLE, ) def test_home(clients)-
Expand source code
def test_home(clients): for url in ["/", "/index", "/index.html"]: illegalize(clients, url) def test_info(clients)-
Expand source code
def test_info(clients): illegalize(clients, "/info") illegalize(clients, "/info.tsv") def test_info_params(clients, requestParam)-
Expand source code
@pytest.mark.parametrize( ("requestParam",), ( ("action",), ("anything",), ("assessed",), ("bulk",), ("country",), ("deid",), ("dtable",), ("eid",), ("email",), ("eppn",), ("field",), ("filepath",), ("groups",), ("masterId",), ("method",), ("reverse",), ("reviewed",), ("sortcol",), ("table",), ("task",), ), ) def test_info_params(clients, requestParam): hack = "udhdu%27%3E%3Cscript%3Ealert(/XSS/)%3C/script%3Ec8dik" isIllegal(clients, f"/info?{requestParam}={hack}") def test_insert(clients)-
Expand source code
def test_insert(clients): illegalize(clients, "/api/{table}/insert", table=CONTRIB) def test_insertDetail(clients)-
Expand source code
def test_insertDetail(clients): illegalize( clients, "/api/{table}/{eid}/{dtable}/insert", table=CONTRIB, eid=DUMMY_ID, dtable=ASSESS, ) def test_item(clients)-
Expand source code
def test_item(clients): illegalize(clients, "/api/{table}/item/{eid}", table=CONTRIB, eid=DUMMY_ID) def test_itemDetail(clients)-
Expand source code
def test_itemDetail(clients): illegalize( clients, "/{table}/item/{eid}/open/{dtable}/{deid}", table=CONTRIB, eid=DUMMY_ID, dtable=ASSESS, deid=DUMMY_ID, ) def test_itemPage(clients)-
Expand source code
def test_itemPage(clients): illegalize(clients, "/{table}/item/{eid}", table=CONTRIB, eid=DUMMY_ID) def test_itemTitle(clients)-
Expand source code
def test_itemTitle(clients): illegalize(clients, "/api/{table}/item/{eid}/title", table=CONTRIB, eid=DUMMY_ID) def test_list(clients)-
Expand source code
def test_list(clients): illegalize(clients, "/{table}/list", table=CONTRIB) def test_listOpen(clients)-
Expand source code
def test_listOpen(clients): illegalize(clients, "/{table}/list/{eid}", table=CONTRIB, eid=DUMMY_ID) def test_long(clients)-
Expand source code
def test_long(clients): url = "/" + "a" * 1000 expect = {user: 400 for user in USERS} forall(clients, expect, assertStatus, url) def test_start(clientOffice)-
Expand source code
@pytest.mark.usefixtures("db") def test_start(clientOffice): startInfo.update(start(clientOffice=clientOffice, users=True)) def test_static(clientPublic)-
Expand source code
def test_static(clientPublic): assertStatus(clientPublic, STATIC, 303) assertStatus(clientPublic, f"{STATIC}/", 400) assertStatus(clientPublic, f"{STATIC}{FAV}", 303) assertStatus(clientPublic, f"{STATIC}{FAV}/", 400) def test_staticFile(clientPublic)-
Expand source code
def test_staticFile(clientPublic): assertStatus(clientPublic, f"{STATIC}/" + ("a" * 200) + ".html", 400) assertStatus(clientPublic, f"{COMMON_CSS}?xxx=yyy", 400) assertStatus(clientPublic, f"{COMMON_CSS}?action=" + ("a" * 200), 400) assertStatus(clientPublic, f"{COMMON_CSS}?action=" + ("a" * 10), 400) assertStatus(clientPublic, COMMON_CSS, 200) assertStatus(clientPublic, COMMONX_CSS, 303) assertStatus(clientPublic, FAVICON, 200) assertStatus(clientPublic, FAVICONX, 303) assertStatus(clientPublic, FAVICON_S, 200) assertStatus(clientPublic, FAVICON_SX, 303) def test_task(clients)-
Expand source code
def test_task(clients): illegalize(clients, "/api/task/{task}/{eid}", task=SUBMIT_ASSESSMENT, eid=DUMMY_ID) def test_workflow(clients)-
Expand source code
def test_workflow(clients): url = "/workflow" expect = {user: 302 if user in {SYSTEM, ROOT} else 303 for user in USERS} forall(clients, expect, assertStatus, url) illegalize(clients, url)