From 239da7f642daf034e78cbc184832a16aa01b9a9d Mon Sep 17 00:00:00 2001 From: Konstantin Haase Date: Mon, 20 Jun 2011 09:16:44 +0200 Subject: [PATCH] spects for token checks --- .../spec/authenticity_token_spec.rb | 34 +++++++++++++++---- rack-protection/spec/form_token_spec.rb | 32 ++++++++++++++--- rack-protection/spec/spec_helper.rb | 25 ++++++++++++-- 3 files changed, 78 insertions(+), 13 deletions(-) diff --git a/rack-protection/spec/authenticity_token_spec.rb b/rack-protection/spec/authenticity_token_spec.rb index b7a92d2d..7758e262 100644 --- a/rack-protection/spec/authenticity_token_spec.rb +++ b/rack-protection/spec/authenticity_token_spec.rb @@ -2,10 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__) describe Rack::Protection::AuthenticityToken do it_behaves_like "any rack application" - it "denies post requests without any token" - it "accepts post requests with correct X-CSRF-Token header" - it "denies post requests with wrong X-CSRF-Token header" - it "accepts post form requests with correct authenticity_token field" - it "denies post form requests with wrong authenticity_token field" - it "prevents ajax requests without a valid token" + + it "denies post requests without any token" do + post('/').should_not be_ok + end + + it "accepts post requests with correct X-CSRF-Token header" do + post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a") + last_response.should be_ok + end + + it "denies post requests with wrong X-CSRF-Token header" do + post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b") + last_response.should_not be_ok + end + + it "accepts post form requests with correct authenticity_token field" do + post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"}) + last_response.should be_ok + end + + it "denies post form requests with wrong authenticity_token field" do + post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"}) + last_response.should_not be_ok + end + + it "prevents ajax requests without a valid token" do + post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok + end end diff --git a/rack-protection/spec/form_token_spec.rb b/rack-protection/spec/form_token_spec.rb index dfdf15e3..0c4aa371 100644 --- a/rack-protection/spec/form_token_spec.rb +++ b/rack-protection/spec/form_token_spec.rb @@ -2,8 +2,32 @@ require File.expand_path('../spec_helper.rb', __FILE__) describe Rack::Protection::FormToken do it_behaves_like "any rack application" - it "denies post form requests without any token" - it "accepts post form requests with correct authenticity_token field" - it "denies post form requests with wrong authenticity_token field" - it "accepts ajax requests without a valid token" + + it "denies post requests without any token" do + post('/').should_not be_ok + end + + it "accepts post requests with correct X-CSRF-Token header" do + post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a") + last_response.should be_ok + end + + it "denies post requests with wrong X-CSRF-Token header" do + post('/', {}, 'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b") + last_response.should_not be_ok + end + + it "accepts post form requests with correct authenticity_token field" do + post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "a"}) + last_response.should be_ok + end + + it "denies post form requests with wrong authenticity_token field" do + post('/', {"authenticity_token" => "a"}, 'rack.session' => {:csrf => "b"}) + last_response.should_not be_ok + end + + it "accepts ajax requests without a valid token" do + post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should be_ok + end end diff --git a/rack-protection/spec/spec_helper.rb b/rack-protection/spec/spec_helper.rb index 1b7a9603..4b8426bb 100644 --- a/rack-protection/spec/spec_helper.rb +++ b/rack-protection/spec/spec_helper.rb @@ -1,6 +1,25 @@ require 'rack/protection' require 'rack/test' require 'forwardable' +require 'stringio' + +if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack' + version = Gem.loaded_specs['rack'].version.to_s +else + version = Rack.release + '.0' +end + +if version == "1.3" + Rack::Session::Abstract::ID.class_eval do + private + def prepare_session(env) + session_was = env[ENV_SESSION_KEY] + env[ENV_SESSION_KEY] = SessionHash.new(self, env) + env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options) + env[ENV_SESSION_KEY].merge! session_was if session_was + end + end +end module DummyApp def self.call(env) @@ -25,7 +44,7 @@ module TestHelpers klass = described_class mock_app do use Rack::Head - use Rack::Session::Cookie + use(Rack::Config) { |e| e['rack.session'] ||= {}} use klass run app end @@ -99,7 +118,7 @@ shared_examples_for 'any rack application' do mock_app do use Rack::Head - use Rack::Session::Cookie + use(Rack::Config) { |e| e['rack.session'] ||= {}} use detector use klass run DummyApp @@ -126,7 +145,7 @@ shared_examples_for 'any rack application' do mock_app do use Rack::Head - use Rack::Session::Cookie + use(Rack::Config) { |e| e['rack.session'] ||= {}} use detector use klass use changer