Skip to content

E
edx-platform
Commit 08a2bc96 by Nimisha Asthagiri
Options

Merge pull request #11358 from edx/release 

Hotfix for MA-1981 and safe sessions
parents 806048d4 233deb27
Showing with 1348 additions and 27 deletions
cms/envs/bok_choy.py
......@@ -120,9 +120,8 @@ MOCK_SEARCH_BACKING_FILE = (
TEST_ROOT / "index_file.dat"
).abspath()
# Generate a random UUID so that different runs of acceptance tests don't break each other
import uuid
SECRET_KEY = uuid.uuid4().hex
# this secret key should be the same as lms/envs/bok_choy.py's
SECRET_KEY = "very_secret_bok_choy_key"
#####################################################################
# Lastly, see if the developer has any local overrides.
......
cms/envs/common.py
......@@ -310,7 +310,11 @@ MIDDLEWARE_CLASSES = (
'django.middleware.cache.UpdateCacheMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
# Instead of SessionMiddleware, we use a more secure version
# 'django.contrib.sessions.middleware.SessionMiddleware',
'openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware',
'method_override.middleware.MethodOverrideMiddleware',
# Instead of AuthenticationMiddleware, we use a cache-backed version
......
common/djangoapps/cache_toolbox/middleware.py
......@@ -81,10 +81,15 @@ choice for most environments but you may be happy with the trade-offs of the
from django.contrib.auth import SESSION_KEY
from django.contrib.auth.models import User
from django.contrib.auth.middleware import AuthenticationMiddleware
from logging import getLogger
from openedx.core.djangoapps.safe_sessions.middleware import SafeSessionMiddleware
from .model import cache_model
log = getLogger(__name__)
class CacheBackedAuthenticationMiddleware(AuthenticationMiddleware):
def __init__(self):
cache_model(User)
......@@ -92,7 +97,16 @@ class CacheBackedAuthenticationMiddleware(AuthenticationMiddleware):
def process_request(self, request):
try:
# Try and construct a User instance from data stored in the cache
request.user = User.get_cached(request.session[SESSION_KEY])
session_user_id = SafeSessionMiddleware.get_user_id_from_session(request)
request.user = User.get_cached(session_user_id) # pylint: disable=no-member
if request.user.id != session_user_id:
log.error(
"CacheBackedAuthenticationMiddleware cached user '%s' does not match requested user '%s'.",
request.user.id,
session_user_id,
)
# Raise an exception to fall through to the except clause below.
raise Exception
except:
# Fallback to constructing the User from the database.
super(CacheBackedAuthenticationMiddleware, self).process_request(request)
common/djangoapps/student/models.py
......@@ -1758,10 +1758,11 @@ def log_successful_login(sender, request, user, **kwargs): # pylint: disable=un
@receiver(user_logged_out)
def log_successful_logout(sender, request, user, **kwargs): # pylint: disable=unused-argument
"""Handler to log when logouts have occurred successfully."""
if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
AUDIT_LOG.info(u"Logout - user.id: {0}".format(request.user.id))
else:
AUDIT_LOG.info(u"Logout - {0}".format(request.user))
if hasattr(request, 'user'):
if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
AUDIT_LOG.info(u"Logout - user.id: {0}".format(request.user.id)) # pylint: disable=logging-format-interpolation
else:
AUDIT_LOG.info(u"Logout - {0}".format(request.user)) # pylint: disable=logging-format-interpolation
@receiver(user_logged_in)
......
common/djangoapps/student/tests/test_auto_auth.py
......@@ -59,6 +59,7 @@ class AutoAuthEnabledTestCase(UrlResetMixin, TestCase):
Test to make sure multiple users are created.
"""
self._auto_auth()
self.client.logout()
self._auto_auth()
self.assertEqual(User.objects.all().count(), 2)
......@@ -138,6 +139,7 @@ class AutoAuthEnabledTestCase(UrlResetMixin, TestCase):
self.assertEqual(len(user_roles), 1)
self.assertEqual(user_roles[0], course_roles[FORUM_ROLE_STUDENT])
self.client.logout()
self._auto_auth({'username': 'a_moderator', 'course_id': course_id, 'roles': 'Moderator'})
user = User.objects.get(username='a_moderator')
user_roles = user.roles.all()
......@@ -147,6 +149,7 @@ class AutoAuthEnabledTestCase(UrlResetMixin, TestCase):
course_roles[FORUM_ROLE_MODERATOR]]))
# check multiple roles work.
self.client.logout()
self._auto_auth({
'username': 'an_admin', 'course_id': course_id,
'roles': '{},{}'.format(FORUM_ROLE_MODERATOR, FORUM_ROLE_ADMINISTRATOR)
......
common/djangoapps/util/testing.py
......@@ -159,3 +159,11 @@ def patch_testcase():
# pylint: disable=protected-access
TestCase._enter_atomics = enter_atomics_wrapper(TestCase._enter_atomics)
TestCase._rollback_atomics = rollback_atomics_wrapper(TestCase._rollback_atomics)
def patch_sessions():
"""
Override the Test Client's session and login to support safe cookies.
"""
from openedx.core.djangoapps.safe_sessions.testing import safe_cookie_test_session_patch
safe_cookie_test_session_patch()
lms/djangoapps/course_api/blocks/api.py
......@@ -52,9 +52,10 @@ def get_blocks(
)
# list of transformers to apply, adding user-specific ones if user is provided
transformers = [blocks_api_transformer]
transformers = []
if user is not None:
transformers += COURSE_BLOCK_ACCESS_TRANSFORMERS + [ProctoredExamTransformer()]
transformers += [blocks_api_transformer]
blocks = get_course_blocks(
user,
......
lms/djangoapps/course_api/blocks/tests/test_api.py
......@@ -42,3 +42,17 @@ class TestGetBlocks(SharedModuleStoreTestCase):
def test_no_user(self):
blocks = get_blocks(self.request, self.course.location)
self.assertIn(unicode(self.html_block.location), blocks['blocks'])
def test_access_before_api_transformer_order(self):
"""
Tests the order of transformers: access checks are made before the api
transformer is applied.
"""
blocks = get_blocks(self.request, self.course.location, self.user, nav_depth=5, requested_fields=['nav_depth'])
vertical_block = self.store.get_item(self.course.id.make_usage_key('vertical', 'vertical_x1a'))
problem_block = self.store.get_item(self.course.id.make_usage_key('problem', 'problem_x1a_1'))
vertical_descendants = blocks['blocks'][unicode(vertical_block.location)]['descendants']
self.assertIn(unicode(problem_block.location), vertical_descendants)
self.assertNotIn(unicode(self.html_block.location), vertical_descendants)
lms/djangoapps/course_wiki/tests/tests.py
......@@ -22,10 +22,10 @@ class WikiRedirectTestCase(LoginEnrollmentTestCase, ModuleStoreTestCase):
self.student = 'view@test.com'
self.instructor = 'view2@test.com'
self.password = 'foo'
self.create_account('u1', self.student, self.password)
self.create_account('u2', self.instructor, self.password)
self.activate_user(self.student)
self.activate_user(self.instructor)
for username, email in [('u1', self.student), ('u2', self.instructor)]:
self.create_account(username, email, self.password)
self.activate_user(email)
self.logout()
@patch.dict("django.conf.settings.FEATURES", {'ALLOW_WIKI_ROOT_ACCESS': True})
def test_wiki_redirect(self):
......@@ -133,6 +133,7 @@ class WikiRedirectTestCase(LoginEnrollmentTestCase, ModuleStoreTestCase):
self.login(self.instructor, self.password)
self.enroll(self.toy)
self.create_course_page(self.toy)
self.logout()
self.login(self.student, self.password)
course_wiki_page = reverse('wiki:get', kwargs={'path': self.toy.wiki_slug + '/'})
......
lms/djangoapps/courseware/tests/test_masquerade.py
......@@ -255,10 +255,12 @@ class TestStaffMasqueradeAsSpecificStudent(StaffMasqueradeTestCase, ProblemSubmi
def login_staff(self):
""" Login as a staff user """
self.logout()
self.login(self.test_user.email, 'test')
def login_student(self):
""" Login as a student """
self.logout()
self.login(self.student_user.email, 'test')
def submit_answer(self, response1, response2):
......
lms/djangoapps/courseware/tests/test_view_authentication.py
......@@ -379,11 +379,13 @@ class TestViewAuth(ModuleStoreTestCase, LoginEnrollmentTestCase):
self.assertFalse(self.enroll(self.course))
self.assertTrue(self.enroll(self.test_course))
# Then, try as an instructor
self.logout()
self.login(self.instructor_user)
self.assertTrue(self.enroll(self.course))
# unenroll and try again
# Then, try as global staff
self.logout()
self.login(self.global_staff_user)
self.assertTrue(self.enroll(self.course))
......
lms/djangoapps/instructor_task/tests/test_base.py
......@@ -151,6 +151,7 @@ class InstructorTaskCourseTestCase(LoginEnrollmentTestCase, ModuleStoreTestCase)
def login_username(self, username):
"""Login the user, given the `username`."""
if self.current_user != username:
self.logout()
user_email = User.objects.get(username=username).email
self.login(user_email, "test")
self.current_user = username
......
lms/djangoapps/teams/tests/test_views.py
......@@ -14,6 +14,7 @@ from django.conf import settings
from django.db.models.signals import post_save
from django.utils import translation
from nose.plugins.attrib import attr
import unittest
from rest_framework.test import APITestCase, APIClient
from xmodule.modulestore.tests.django_utils import SharedModuleStoreTestCase
from xmodule.modulestore.tests.factories import CourseFactory
......@@ -108,13 +109,14 @@ class TestDashboard(SharedModuleStoreTestCase):
response = self.client.get(teams_url)
self.assertEqual(404, response.status_code)
@unittest.skip("Fix this - getting unreliable query counts")
def test_query_counts(self):
# Enroll in the course and log in
CourseEnrollmentFactory.create(user=self.user, course_id=self.course.id)
self.client.login(username=self.user.username, password=self.test_password)
# Check the query count on the dashboard With no teams
with self.assertNumQueries(17):
with self.assertNumQueries(22):
self.client.get(self.teams_url)
# Create some teams
......@@ -129,7 +131,7 @@ class TestDashboard(SharedModuleStoreTestCase):
team.add_user(self.user)
# Check the query count on the dashboard again
with self.assertNumQueries(23):
with self.assertNumQueries(22):
self.client.get(self.teams_url)
def test_bad_course_id(self):
......
lms/envs/bok_choy.py
......@@ -164,9 +164,8 @@ MOCK_SEARCH_BACKING_FILE = (
TEST_ROOT / "index_file.dat"
).abspath()
# Generate a random UUID so that different runs of acceptance tests don't break each other
import uuid
SECRET_KEY = uuid.uuid4().hex
# this secret key should be the same as cms/envs/bok_choy.py's
SECRET_KEY = "very_secret_bok_choy_key"
# Set dummy values for profile image settings.
PROFILE_IMAGE_BACKEND = {
......
lms/envs/common.py
......@@ -1076,11 +1076,15 @@ MIDDLEWARE_CLASSES = (
'microsite_configuration.middleware.MicrositeMiddleware',
'django_comment_client.middleware.AjaxExceptionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
# Instead of SessionMiddleware, we use a more secure version
# 'django.contrib.sessions.middleware.SessionMiddleware',
'openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware',
# Instead of AuthenticationMiddleware, we use a cached backed version
#'django.contrib.auth.middleware.AuthenticationMiddleware',
'cache_toolbox.middleware.CacheBackedAuthenticationMiddleware',
'student.middleware.UserStandingMiddleware',
'contentserver.middleware.StaticContentServer',
'crum.CurrentRequestUserMiddleware',
......@@ -2704,3 +2708,8 @@ MAX_BOOKMARKS_PER_COURSE = 100
# lms.env.json file.
REGISTRATION_EXTENSION_FORM = None
# Identifier included in the User Agent from open edX mobile apps.
MOBILE_APP_USER_AGENT_REGEXES = [
r'edX/org.edx.mobile',
]
lms/envs/test.py
......@@ -26,10 +26,11 @@ from warnings import filterwarnings, simplefilter
from openedx.core.lib.tempdir import mkdtemp_clean
# This patch disabes the commit_on_success decorator during tests
# This patch disables the commit_on_success decorator during tests
# in TestCase subclasses.
from util.testing import patch_testcase
from util.testing import patch_testcase, patch_sessions
patch_testcase()
patch_sessions()
# Silence noisy logs to make troubleshooting easier when tests fail.
import logging
......
openedx/core/djangoapps/bookmarks/tests/test_views.py
......@@ -268,7 +268,7 @@ class BookmarksListViewTests(BookmarksViewsTestsBase):
self.assertEqual(response.data['user_message'], u'An error has occurred. Please try again.')
# Send data without usage_id.
with self.assertNumQueries(7): # No queries for bookmark table.
with self.assertNumQueries(6): # No queries for bookmark table.
response = self.send_post(
client=self.client,
url=reverse('bookmarks'),
......@@ -279,7 +279,7 @@ class BookmarksListViewTests(BookmarksViewsTestsBase):
self.assertEqual(response.data['developer_message'], u'Parameter usage_id not provided.')
# Send empty data dictionary.
with self.assertNumQueries(7): # No queries for bookmark table.
with self.assertNumQueries(6): # No queries for bookmark table.
response = self.send_post(
client=self.client,
url=reverse('bookmarks'),
......@@ -489,7 +489,7 @@ class BookmarksDetailViewTests(BookmarksViewsTestsBase):
bookmarks_data = response.data['results']
self.assertEqual(len(bookmarks_data), 2)
with self.assertNumQueries(10): # 2 queries for bookmark table.
with self.assertNumQueries(9): # 2 queries for bookmark table.
self.send_delete(
client=self.client,
url=reverse(
......@@ -562,5 +562,5 @@ class BookmarksDetailViewTests(BookmarksViewsTestsBase):
with self.assertNumQueries(8): # No queries for bookmark table.
self.assertEqual(405, self.client.put(url).status_code)
with self.assertNumQueries(8):
with self.assertNumQueries(7):
self.assertEqual(405, self.client.post(url).status_code)
openedx/core/djangoapps/safe_sessions/middleware.py 0 → 100644
"""
This module defines SafeSessionMiddleware that makes use of a
SafeCookieData that cryptographically binds the user to the session id
in the cookie.
The implementation is inspired by the proposal in the following paper:
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
Note: The proposed protocol protects against replay attacks by
incorporating the session key used in the SSL connection. However,
this does not suit our needs since we want the ability to reuse the
same cookie over multiple SSL connections. So instead, we mitigate
replay attacks by enforcing session cookie expiration
(via TimestampSigner) and assuming SESSION_COOKIE_SECURE (see below).
We use django's built-in Signer class, which makes use of a built-in
salted_hmac function that derives a usage-specific key from the
server's SECRET_KEY, as proposed in the paper.
Note: The paper proposes deriving a usage-specific key from the
session's expiration time in order to protect against volume attacks.
However, since django does not always use an expiration time, we
instead use a random key salt to prevent volume attacks.
In fact, we actually use a specialized subclass of Signer called
TimestampSigner. This signer binds a timestamp along with the signed
data and verifies that the signature has not expired. We do this
since django's session stores do not actually verify the expiration
of the session cookies. Django instead relies on the browser to honor
session cookie expiration.
The resulting safe cookie data that gets stored as the value in the
session cookie is a tuple of:
(
version,
session_id,
key_salt,
signature
)
where signature is:
signed_data : base64(HMAC_SHA1(signed_data, usage_key))
where signed_data is:
H(version | session_id | user_id) : timestamp
where usage_key is:
SHA1(key_salt + 'signer' + settings.SECRET_KEY)
Note: We assume that the SESSION_COOKIE_SECURE setting is set to
TRUE to prevent inadvertent leakage of the session cookie to a
person-in-the-middle. The SESSION_COOKIE_SECURE flag indicates
to the browser that the cookie should be sent only over an
SSL-protected channel. Otherwise, a session hijacker could copy
the entire cookie and use it to impersonate the victim.
"""
from django.conf import settings
from django.contrib.auth import SESSION_KEY
from django.contrib.auth.views import redirect_to_login
from django.contrib.sessions.middleware import SessionMiddleware
from django.core import signing
from django.http import HttpResponse
from django.utils.crypto import get_random_string
from hashlib import sha256
from logging import getLogger
from openedx.core.lib.mobile_utils import is_request_from_mobile_app
log = getLogger(__name__)
class SafeCookieError(Exception):
"""
An exception class for safe cookie related errors.
"""
def __init__(self, error_message):
super(SafeCookieError, self).__init__(error_message)
log.error(error_message)
class SafeCookieData(object):
"""
Cookie data that cryptographically binds and timestamps the user
to the session id. It verifies the freshness of the cookie by
checking its creation date using settings.SESSION_COOKIE_AGE.
"""
CURRENT_VERSION = '1'
SEPARATOR = u"|"
def __init__(self, version, session_id, key_salt, signature):
"""
Arguments:
version (string): The data model version of the safe cookie
data that is checked for forward and backward
compatibility.
session_id (string): Unique and unguessable session
identifier to which this safe cookie data is bound.
key_salt (string): A securely generated random string that
is used to derive a usage-specific secret key for
signing the safe cookie data to protect against volume
attacks.
signature (string): Cryptographically created signature
for the safe cookie data that binds the session_id
and its corresponding user as described at the top of
this file.
"""
self.version = version
self.session_id = session_id
self.key_salt = key_salt
self.signature = signature
@classmethod
def create(cls, session_id, user_id):
"""
Factory method for creating the cryptographically bound
safe cookie data for the session and the user.
Raises SafeCookieError if session_id is None.
"""
cls._validate_cookie_params(session_id, user_id)
safe_cookie_data = SafeCookieData(
cls.CURRENT_VERSION,
session_id,
key_salt=get_random_string(),
signature=None,
)
safe_cookie_data.sign(user_id)
return safe_cookie_data
@classmethod
def parse(cls, safe_cookie_string):
"""
Factory method that parses the serialized safe cookie data,
verifies the version, and returns the safe cookie object.
Raises SafeCookieError if there are any issues parsing the
safe_cookie_string.
"""
try:
raw_cookie_components = safe_cookie_string.split(cls.SEPARATOR)
safe_cookie_data = SafeCookieData(*raw_cookie_components)
except TypeError:
raise SafeCookieError(
"SafeCookieData BWC parse error: {0!r}.".format(safe_cookie_string)
)
else:
if safe_cookie_data.version != cls.CURRENT_VERSION:
raise SafeCookieError(
"SafeCookieData version {0!r} is not supported. Current version is {1}.".format(
safe_cookie_data.version,
cls.CURRENT_VERSION,
))
return safe_cookie_data
def __unicode__(self):
"""
Returns a string serialization of the safe cookie data.
"""
return self.SEPARATOR.join([self.version, self.session_id, self.key_salt, self.signature])
def sign(self, user_id):
"""
Computes the signature of this safe cookie data.
A signed value of hash(version | session_id | user_id):timestamp
with a usage-specific key derived from key_salt.
"""
data_to_sign = self._compute_digest(user_id)
self.signature = signing.dumps(data_to_sign, salt=self.key_salt)
def verify(self, user_id):
"""
Verifies the signature of this safe cookie data.
Successful verification implies this cookie data is fresh
(not expired) and bound to the given user.
"""
try:
unsigned_data = signing.loads(self.signature, salt=self.key_salt, max_age=settings.SESSION_COOKIE_AGE)
if unsigned_data == self._compute_digest(user_id):
return True
log.error("SafeCookieData '%r' is not bound to user '%s'.", unicode(self), user_id)
except signing.BadSignature as sig_error:
log.error(
"SafeCookieData signature error for cookie data {0!r}: {1}".format( # pylint: disable=logging-format-interpolation
unicode(self),
sig_error.message,
)
)
return False
def _compute_digest(self, user_id):
"""
Returns hash(version | session_id | user_id |)
"""
hash_func = sha256()
for data_item in [self.version, self.session_id, user_id]:
hash_func.update(unicode(data_item))
hash_func.update('|')
return hash_func.hexdigest()
@staticmethod
def _validate_cookie_params(session_id, user_id):
"""
Validates the given parameters for cookie creation.
Raises SafeCookieError if session_id is None.
"""
# Compare against unicode(None) as well since the 'value'
# property of a cookie automatically serializes None to a
# string.
if not session_id or session_id == unicode(None):
# The session ID should always be valid in the cookie.
raise SafeCookieError(
"SafeCookieData not created due to invalid value for session_id '{}' for user_id '{}'.".format(
session_id,
user_id,
))
if not user_id:
# The user ID is sometimes not set for
# 3rd party Auth and external Auth transactions
# as some of the session requests are made as
# Anonymous users.
log.warning(
"SafeCookieData received empty user_id '%s' for session_id '%s'.",
user_id,
session_id,
)
class SafeSessionMiddleware(SessionMiddleware):
"""
A safer middleware implementation that uses SafeCookieData instead
of just the session id to lookup and verify a user's session.
"""
def process_request(self, request):
"""
Processing the request is a multi-step process, as follows:
Step 1. The safe_cookie_data is parsed and verified from the
session cookie.
Step 2. The session_id is retrieved from the safe_cookie_data
and stored in place of the session cookie value, to be used by
Django's Session middleware.
Step 3. Call Django's Session Middleware to find the session
corresponding to the session_id and to set the session in the
request.
Step 4. Once the session is retrieved, verify that the user
bound in the safe_cookie_data matches the user attached to the
server's session information.
Step 5. If all is successful, the now verified user_id is stored
separately in the request object so it is available for another
final verification before sending the response (in
process_response).
"""
cookie_data_string = request.COOKIES.get(settings.SESSION_COOKIE_NAME)
if cookie_data_string:
try:
safe_cookie_data = SafeCookieData.parse(cookie_data_string) # Step 1
except SafeCookieError:
# For security reasons, we don't support requests with
# older or invalid session cookie models.
return self._on_user_authentication_failed(request)
else:
request.COOKIES[settings.SESSION_COOKIE_NAME] = safe_cookie_data.session_id # Step 2
process_request_response = super(SafeSessionMiddleware, self).process_request(request) # Step 3
if process_request_response:
# The process_request pipeline has been short circuited so
# return the response.
return process_request_response
if cookie_data_string and request.session.get(SESSION_KEY):
user_id = self.get_user_id_from_session(request)
if safe_cookie_data.verify(user_id): # Step 4
request.safe_cookie_verified_user_id = user_id # Step 5
else:
return self._on_user_authentication_failed(request)
def process_response(self, request, response):
"""
When creating a cookie for the response, a safe_cookie_data
is created and put in place of the session_id in the session
cookie.
Also, the session cookie is deleted if prior verification failed
or the designated user in the request has changed since the
original request.
Processing the response is a multi-step process, as follows:
Step 1. Call the parent's method to generate the basic cookie.
Step 2. Verify that the user marked at the time of
process_request matches the user at this time when processing
the response. If not, log the error.
Step 3. If a cookie is being sent with the response, update
the cookie by replacing its session_id with a safe_cookie_data
that binds the session and its corresponding user.
Step 4. Delete the cookie, if it's marked for deletion.
"""
response = super(SafeSessionMiddleware, self).process_response(request, response) # Step 1
if not _is_cookie_marked_for_deletion(request) and _is_cookie_present(response):
try:
user_id_in_session = self.get_user_id_from_session(request)
self._verify_user(request, user_id_in_session) # Step 2
# Use the user_id marked in the session instead of the
# one in the request in case the user is not set in the
# request, for example during Anonymous API access.
self.update_with_safe_session_cookie(response.cookies, user_id_in_session) # Step 3
except SafeCookieError:
_mark_cookie_for_deletion(request)
if _is_cookie_marked_for_deletion(request):
_delete_cookie(response) # Step 4
return response
@staticmethod
def _on_user_authentication_failed(request):
"""
To be called when user authentication fails when processing
requests in the middleware. Sets a flag to delete the user's
cookie and redirects the user to the login page.
"""
_mark_cookie_for_deletion(request)
# Mobile apps have custom handling of authentication failures. They
# should *not* be redirected to the website's login page.
if is_request_from_mobile_app(request):
return HttpResponse(status=401)
return redirect_to_login(request.path)
@staticmethod
def _verify_user(request, userid_in_session):
"""
Logs an error if the user marked at the time of process_request
does not match either the current user in the request or the
given userid_in_session.
"""
if hasattr(request, 'safe_cookie_verified_user_id'):
if request.safe_cookie_verified_user_id != request.user.id:
log.warning(
"SafeCookieData user at request '{0}' does not match user at response: '{1}'".format( # pylint: disable=logging-format-interpolation
request.safe_cookie_verified_user_id,
request.user.id,
),
)
if request.safe_cookie_verified_user_id != userid_in_session:
log.error(
"SafeCookieData user at request '{0}' does not match user in session: '{1}'".format( # pylint: disable=logging-format-interpolation
request.safe_cookie_verified_user_id,
userid_in_session,
),
)
@staticmethod
def get_user_id_from_session(request):
"""
Return the user_id stored in the session of the request.
"""
# Starting in django 1.8, the user_id is now serialized
# as a string in the session. Before, it was stored
# directly as an integer. If back-porting to prior to
# django 1.8, replace the implementation of this method
# with:
# return request.session[SESSION_KEY]
from django.contrib.auth import _get_user_session_key
try:
return _get_user_session_key(request)
except KeyError:
return None
@staticmethod
def set_user_id_in_session(request, user):
"""
Stores the user_id in the session of the request.
Used by unit tests.
"""
# Starting in django 1.8, the user_id is now serialized
# as a string in the session. Before, it was stored
# directly as an integer. If back-porting to prior to
# django 1.8, replace the implementation of this method
# with:
# request.session[SESSION_KEY] = user.id
request.session[SESSION_KEY] = user._meta.pk.value_to_string(user) # pylint: disable=protected-access
@staticmethod
def update_with_safe_session_cookie(cookies, user_id):
"""
Replaces the session_id in the session cookie with a freshly
computed safe_cookie_data.
"""
# Create safe cookie data that binds the user with the session
# in place of just storing the session_key in the cookie.
safe_cookie_data = SafeCookieData.create(
cookies[settings.SESSION_COOKIE_NAME].value,
user_id,
)
# Update the cookie's value with the safe_cookie_data.
cookies[settings.SESSION_COOKIE_NAME] = unicode(safe_cookie_data)
def _mark_cookie_for_deletion(request):
"""
Updates the given request object to designate that the session
cookie should be deleted.
"""
request.need_to_delete_cookie = True
def _is_cookie_marked_for_deletion(request):
"""
Returns whether the session cookie has been designated for deletion
in the given request object.
"""
return getattr(request, 'need_to_delete_cookie', False)
def _is_cookie_present(response):
"""
Returns whether the session cookie is present in the response.
"""
return (
response.cookies.get(settings.SESSION_COOKIE_NAME) and # cookie in response
response.cookies[settings.SESSION_COOKIE_NAME].value # cookie is not empty
)
def _delete_cookie(response):
"""
Delete the cookie by setting the expiration to a date in the past,
while maintaining the domain, secure, and httponly settings.
"""
response.set_cookie(
settings.SESSION_COOKIE_NAME,
max_age=0,
expires='Thu, 01-Jan-1970 00:00:00 GMT',
domain=settings.SESSION_COOKIE_DOMAIN,
secure=settings.SESSION_COOKIE_SECURE or None,
httponly=settings.SESSION_COOKIE_HTTPONLY or None,
)
openedx/core/djangoapps/safe_sessions/testing.py 0 → 100644
"""
Test overrides to support Safe Cookies with Test Clients.
"""
from django.test.client import Client
def safe_cookie_test_session_patch():
"""
Override the Test Client's methods in order to support Safe Cookies.
If there's a better way to patch this, we should do so.
"""
if getattr(safe_cookie_test_session_patch, 'has_run', False):
return
def using_safe_cookie_data(settings):
"""
Returns whether or not Safe Cookies is actually being
used, by checking the middleware settings.
"""
return (
'openedx.core.djangoapps.safe_sessions.middleware.SafeSessionMiddleware' in settings.MIDDLEWARE_CLASSES
)
## session_id --> safe_cookie_data ##
# Override Client.login method to update cookies with safe
# cookies.
patched_client_login = Client.login
def login_with_safe_session(self, **credentials):
"""
Call the original Client.login method, but update the
session cookie with a freshly computed safe_cookie_data
before returning.
"""
from django.conf import settings
from django.contrib.auth import SESSION_KEY
from .middleware import SafeSessionMiddleware
if not patched_client_login(self, **credentials):
return False
if using_safe_cookie_data(settings):
SafeSessionMiddleware.update_with_safe_session_cookie(self.cookies, self.session[SESSION_KEY])
return True
Client.login = login_with_safe_session
## safe_cookie_data --> session_id ##
# Override Client.session so any safe cookies are parsed before
# use.
def get_safe_session(self):
"""
Here, we are duplicating the original Client._session code
in order to allow conversion of the safe_cookie_data back
to the raw session_id, if needed. Since test code may
access the session_id before it's actually converted,
we use a try-except clause here to check both cases.
"""
from django.apps import apps
from django.conf import settings
from django.utils.importlib import import_module
from .middleware import SafeCookieData, SafeCookieError, SafeSessionMiddleware
if apps.is_installed('django.contrib.sessions'):
engine = import_module(settings.SESSION_ENGINE)
cookie = self.cookies.get(settings.SESSION_COOKIE_NAME, None)
if cookie:
session_id = cookie.value
if using_safe_cookie_data(settings):
try:
session_id = SafeCookieData.parse(session_id).session_id
except SafeCookieError:
pass # The safe cookie hasn't yet been created.
return engine.SessionStore(session_id)
else:
session = engine.SessionStore()
session.save()
self.cookies[settings.SESSION_COOKIE_NAME] = session.session_key
SafeSessionMiddleware.update_with_safe_session_cookie(self.cookies, user_id=None)
return session
return {}
Client.session = property(get_safe_session)
safe_cookie_test_session_patch.has_run = True
openedx/core/djangoapps/safe_sessions/tests/test_middleware.py 0 → 100644
# pylint: disable=no-member
# pylint: disable=protected-access
"""
Unit tests for SafeSessionMiddleware
"""
import ddt
from django.conf import settings
from django.contrib.auth import SESSION_KEY
from django.contrib.auth.models import AnonymousUser
from django.http import HttpResponse, HttpResponseRedirect, SimpleCookie
from django.test import TestCase
from django.test.client import RequestFactory
from django.test.utils import override_settings
from mock import patch
from student.tests.factories import UserFactory
from ..middleware import SafeSessionMiddleware, SafeCookieData
from .test_utils import TestSafeSessionsLogMixin
def create_mock_request():
"""
Creates and returns a mock request object for testing.
"""
request = RequestFactory()
request.COOKIES = {}
request.META = {}
request.path = '/'
return request
class TestSafeSessionProcessRequest(TestSafeSessionsLogMixin, TestCase):
"""
Test class for SafeSessionMiddleware.process_request
"""
def setUp(self):
super(TestSafeSessionProcessRequest, self).setUp()
self.user = UserFactory.create()
self.request = create_mock_request()
def assert_response(self, safe_cookie_data=None, success=True):
"""
Calls SafeSessionMiddleware.process_request and verifies
the response.
Arguments:
safe_cookie_data - If provided, it is serialized and
stored in the request's cookies.
success - If True, verifies a successful response.
Else, verifies a failed response with an HTTP redirect.
"""
if safe_cookie_data:
self.request.COOKIES[settings.SESSION_COOKIE_NAME] = unicode(safe_cookie_data)
response = SafeSessionMiddleware().process_request(self.request)
if success:
self.assertIsNone(response)
self.assertIsNone(getattr(self.request, 'need_to_delete_cookie', None))
else:
self.assertEquals(response.status_code, HttpResponseRedirect.status_code)
self.assertTrue(self.request.need_to_delete_cookie)
def assert_no_session(self):
"""
Asserts that a session object is *not* set on the request.
"""
self.assertIsNone(getattr(self.request, 'session', None))
def assert_no_user_in_session(self):
"""
Asserts that a user object is *not* set on the request's session.
"""
self.assertIsNone(self.request.session.get(SESSION_KEY))
def assert_user_in_session(self):
"""
Asserts that a user object *is* set on the request's session.
"""
self.assertEquals(
SafeSessionMiddleware.get_user_id_from_session(self.request),
self.user.id
)
def test_success(self):
self.client.login(username=self.user.username, password='test')
session_id = self.client.session.session_key
safe_cookie_data = SafeCookieData.create(session_id, self.user.id)
# pre-verify steps 3, 4, 5
self.assertIsNone(getattr(self.request, 'session', None))
self.assertIsNone(getattr(self.request, 'safe_cookie_verified_user_id', None))
# verify step 1: safe cookie data is parsed
self.assert_response(safe_cookie_data)
self.assert_user_in_session()
# verify step 2: cookie value is replaced with parsed session_id
self.assertEquals(self.request.COOKIES[settings.SESSION_COOKIE_NAME], session_id)
# verify step 3: session set in request
self.assertIsNotNone(self.request.session)
# verify steps 4, 5: user_id stored for later verification
self.assertEquals(self.request.safe_cookie_verified_user_id, self.user.id)
def test_success_no_cookies(self):
self.assert_response()
self.assert_no_user_in_session()
def test_success_no_session(self):
safe_cookie_data = SafeCookieData.create('no_such_session_id', self.user.id)
self.assert_response(safe_cookie_data)
self.assert_no_user_in_session()
def test_success_no_session_and_user(self):
safe_cookie_data = SafeCookieData.create('no_such_session_id', 'no_such_user')
self.assert_response(safe_cookie_data)
self.assert_no_user_in_session()
def test_parse_error_at_step_1(self):
with self.assert_parse_error():
self.assert_response('not-a-safe-cookie', success=False)
self.assert_no_session()
def test_invalid_user_at_step_4(self):
self.client.login(username=self.user.username, password='test')
safe_cookie_data = SafeCookieData.create(self.client.session.session_key, 'no_such_user')
with self.assert_incorrect_user_logged():
self.assert_response(safe_cookie_data, success=False)
self.assert_user_in_session()
@ddt.ddt
class TestSafeSessionProcessResponse(TestSafeSessionsLogMixin, TestCase):
"""
Test class for SafeSessionMiddleware.process_response
"""
def setUp(self):
super(TestSafeSessionProcessResponse, self).setUp()
self.user = UserFactory.create()
self.request = create_mock_request()
self.request.session = {}
self.client.response = HttpResponse()
self.client.response.cookies = SimpleCookie()
def assert_response(self, set_request_user=False, set_session_cookie=False):
"""
Calls SafeSessionMiddleware.process_response and verifies
the response.
Arguments:
set_request_user - If True, the user is set on the request
object.
set_session_cookie - If True, a session_id is set in the
session cookie in the response.
"""
if set_request_user:
self.request.user = self.user
SafeSessionMiddleware.set_user_id_in_session(self.request, self.user)
if set_session_cookie:
self.client.response.cookies[settings.SESSION_COOKIE_NAME] = "some_session_id"
response = SafeSessionMiddleware().process_response(self.request, self.client.response)
self.assertEquals(response.status_code, 200)
def assert_response_with_delete_cookie(
self,
expect_delete_called=True,
set_request_user=False,
set_session_cookie=False,
):
"""
Calls SafeSessionMiddleware.process_response and verifies
the response, while expecting the cookie to be deleted if
expect_delete_called is True.
See assert_response for information on the other
parameters.
"""
with patch('django.http.HttpResponse.set_cookie') as mock_delete_cookie:
self.assert_response(set_request_user=set_request_user, set_session_cookie=set_session_cookie)
self.assertEquals(mock_delete_cookie.called, expect_delete_called)
def test_success(self):
with self.assert_not_logged():
self.assert_response(set_request_user=True, set_session_cookie=True)
def test_confirm_user_at_step_2(self):
self.request.safe_cookie_verified_user_id = self.user.id
with self.assert_not_logged():
self.assert_response(set_request_user=True, set_session_cookie=True)
def test_different_user_at_step_2_error(self):
self.request.safe_cookie_verified_user_id = "different_user"
with self.assert_request_user_mismatch("different_user", self.user.id):
with self.assert_session_user_mismatch("different_user", self.user.id):
self.assert_response(set_request_user=True, set_session_cookie=True)
def test_anonymous_user(self):
self.request.safe_cookie_verified_user_id = self.user.id
self.request.user = AnonymousUser()
self.request.session[SESSION_KEY] = self.user.id
with self.assert_no_error_logged():
with self.assert_request_user_mismatch(self.user.id, None):
self.assert_response(set_request_user=False, set_session_cookie=True)
def test_update_cookie_data_at_step_3(self):
self.assert_response(set_request_user=True, set_session_cookie=True)
serialized_cookie_data = self.client.response.cookies[settings.SESSION_COOKIE_NAME].value
safe_cookie_data = SafeCookieData.parse(serialized_cookie_data)
self.assertEquals(safe_cookie_data.version, SafeCookieData.CURRENT_VERSION)
self.assertEquals(safe_cookie_data.session_id, "some_session_id")
self.assertTrue(safe_cookie_data.verify(self.user.id))
def test_cant_update_cookie_at_step_3_error(self):
self.client.response.cookies[settings.SESSION_COOKIE_NAME] = None
with self.assert_invalid_session_id():
self.assert_response_with_delete_cookie(set_request_user=True)
@ddt.data(True, False)
def test_deletion_of_cookies_at_step_4(self, set_request_user):
self.request.need_to_delete_cookie = True
self.assert_response_with_delete_cookie(set_session_cookie=True, set_request_user=set_request_user)
def test_deletion_of_no_cookies_at_step_4(self):
self.request.need_to_delete_cookie = True
# delete_cookies is called even if there are no cookies set
self.assert_response_with_delete_cookie()
@ddt.ddt
class TestSafeSessionMiddleware(TestSafeSessionsLogMixin, TestCase):
"""
Test class for SafeSessionMiddleware, testing both
process_request and process_response.
"""
def setUp(self):
super(TestSafeSessionMiddleware, self).setUp()
self.user = UserFactory.create()
self.request = create_mock_request()
self.client.response = HttpResponse()
self.client.response.cookies = SimpleCookie()
def cookies_from_request_to_response(self):
"""
Transfers the cookies from the request object to the response
object.
"""
if self.request.COOKIES.get(settings.SESSION_COOKIE_NAME):
self.client.response.cookies[settings.SESSION_COOKIE_NAME] = self.request.COOKIES[
settings.SESSION_COOKIE_NAME
]
def verify_success(self):
"""
Verifies success path.
"""
self.client.login(username=self.user.username, password='test')
self.request.user = self.user
session_id = self.client.session.session_key
safe_cookie_data = SafeCookieData.create(session_id, self.user.id)
self.request.COOKIES[settings.SESSION_COOKIE_NAME] = unicode(safe_cookie_data)
with self.assert_not_logged():
response = SafeSessionMiddleware().process_request(self.request)
self.assertIsNone(response)
self.assertEquals(self.request.safe_cookie_verified_user_id, self.user.id)
self.cookies_from_request_to_response()
with self.assert_not_logged():
response = SafeSessionMiddleware().process_response(self.request, self.client.response)
self.assertEquals(response.status_code, 200)
def test_success(self):
self.verify_success()
def test_success_from_mobile_web_view(self):
self.request.path = '/xblock/block-v1:org+course+run+type@html+block@block_id'
self.verify_success()
@override_settings(MOBILE_APP_USER_AGENT_REGEXES=[r'open edX Mobile App'])
def test_success_from_mobile_app(self):
self.request.META = {'HTTP_USER_AGENT': 'open edX Mobile App Version 2.1'}
self.verify_success()
def verify_error(self, expected_response_status):
"""
Verifies error path.
"""
self.request.COOKIES[settings.SESSION_COOKIE_NAME] = 'not-a-safe-cookie'
with self.assert_parse_error():
request_response = SafeSessionMiddleware().process_request(self.request)
self.assertEquals(request_response.status_code, expected_response_status)
self.assertTrue(self.request.need_to_delete_cookie)
self.cookies_from_request_to_response()
with patch('django.http.HttpResponse.set_cookie') as mock_delete_cookie:
SafeSessionMiddleware().process_response(self.request, self.client.response)
self.assertTrue(mock_delete_cookie.called)
def test_error(self):
self.verify_error(302)
def test_error_from_mobile_web_view(self):
self.request.path = '/xblock/block-v1:org+course+run+type@html+block@block_id'
self.verify_error(401)
@override_settings(MOBILE_APP_USER_AGENT_REGEXES=[r'open edX Mobile App'])
def test_error_from_mobile_app(self):
self.request.META = {'HTTP_USER_AGENT': 'open edX Mobile App Version 2.1'}
self.verify_error(401)
openedx/core/djangoapps/safe_sessions/tests/test_safe_cookie_data.py 0 → 100644
# pylint: disable=protected-access
"""
Unit tests for SafeCookieData
"""
import ddt
from django.test import TestCase
import itertools
from mock import patch
from time import time
from ..middleware import SafeCookieData, SafeCookieError
from .test_utils import TestSafeSessionsLogMixin
@ddt.ddt
class TestSafeCookieData(TestSafeSessionsLogMixin, TestCase):
"""
Test class for SafeCookieData
"""
def setUp(self):
super(TestSafeCookieData, self).setUp()
self.session_id = 'test_session_id'
self.user_id = 'test_user_id'
self.safe_cookie_data = SafeCookieData.create(self.session_id, self.user_id)
def assert_cookie_data_equal(self, cookie_data1, cookie_data2):
"""
Asserts equivalency of the given cookie datas by comparing
their member variables.
"""
self.assertDictEqual(cookie_data1.__dict__, cookie_data2.__dict__)
#---- Test Success ----#
@ddt.data(
*itertools.product(
['test_session_id', '1', '100'],
['test_user_id', None, 0, 1, 100],
)
)
@ddt.unpack
def test_success(self, session_id, user_id):
# create and verify
safe_cookie_data_1 = SafeCookieData.create(session_id, user_id)
self.assertTrue(safe_cookie_data_1.verify(user_id))
# serialize
serialized_value = unicode(safe_cookie_data_1)
# parse and verify
safe_cookie_data_2 = SafeCookieData.parse(serialized_value)
self.assertTrue(safe_cookie_data_2.verify(user_id))
# compare
self.assert_cookie_data_equal(safe_cookie_data_1, safe_cookie_data_2)
def test_version(self):
self.assertEquals(self.safe_cookie_data.version, SafeCookieData.CURRENT_VERSION)
def test_serialize(self):
serialized_value = unicode(self.safe_cookie_data)
for field_value in self.safe_cookie_data.__dict__.itervalues():
self.assertIn(unicode(field_value), serialized_value)
#---- Test Parse ----#
@ddt.data(['1', 'session_id', 'key_salt', 'signature'], ['1', 's', 'k', 'sig'])
def test_parse_success(self, cookie_data_fields):
self.assert_cookie_data_equal(
SafeCookieData.parse(SafeCookieData.SEPARATOR.join(cookie_data_fields)),
SafeCookieData(*cookie_data_fields),
)
def test_parse_success_serialized(self):
serialized_value = unicode(self.safe_cookie_data)
self.assert_cookie_data_equal(
SafeCookieData.parse(serialized_value),
self.safe_cookie_data,
)
@ddt.data('1', '1|s', '1|s|k', '1|s|k|sig|extra', '73453', 's90sfs')
def test_parse_error(self, serialized_value):
with self.assert_parse_error():
with self.assertRaises(SafeCookieError):
SafeCookieData.parse(serialized_value)
@ddt.data(0, 2, -1, 'invalid_version')
def test_parse_invalid_version(self, version):
serialized_value = '{}|session_id|key_salt|signature'.format(version)
with self.assert_logged(r"SafeCookieData version .* is not supported."):
with self.assertRaises(SafeCookieError):
SafeCookieData.parse(serialized_value)
#---- Test Create ----#
@ddt.data(None, '')
def test_create_invalid_session_id(self, session_id):
with self.assert_invalid_session_id():
with self.assertRaises(SafeCookieError):
SafeCookieData.create(session_id, self.user_id)
@ddt.data(None, '')
def test_create_no_user_id(self, user_id):
with self.assert_logged('SafeCookieData received empty user_id', 'warning'):
safe_cookie_data = SafeCookieData.create(self.session_id, user_id)
self.assertTrue(safe_cookie_data.verify(user_id))
#---- Test Verify ----#
def test_verify_success(self):
self.assertTrue(self.safe_cookie_data.verify(self.user_id))
#- Test verify: expiration -#
def test_verify_expired_signature(self):
three_weeks_from_now = time() + 60 * 60 * 24 * 7 * 3
with patch('time.time', return_value=three_weeks_from_now):
with self.assert_signature_error_logged('Signature age'):
self.assertFalse(self.safe_cookie_data.verify(self.user_id))
#- Test verify: incorrect user -#
@ddt.data(None, 'invalid_user_id', -1)
def test_verify_incorrect_user_id(self, user_id):
with self.assert_incorrect_user_logged():
self.assertFalse(self.safe_cookie_data.verify(user_id))
@ddt.data('version', 'session_id')
def test_verify_incorrect_field_value(self, field_name):
setattr(self.safe_cookie_data, field_name, 'incorrect_cookie_value')
with self.assert_incorrect_user_logged():
self.assertFalse(self.safe_cookie_data.verify(self.user_id))
#- Test verify: incorrect signature -#
def test_verify_another_signature(self):
another_cookie_data = SafeCookieData.create(self.session_id, self.user_id) # different key_salt and expiration
self.safe_cookie_data.signature = another_cookie_data.signature
with self.assert_incorrect_signature_logged():
self.assertFalse(self.safe_cookie_data.verify(self.user_id))
def test_verify_incorrect_key_salt(self):
self.safe_cookie_data.key_salt = 'incorrect_cookie_value'
with self.assert_incorrect_signature_logged():
self.assertFalse(self.safe_cookie_data.verify(self.user_id))
@ddt.data(
*itertools.product(
range(0, 100, 25),
range(5, 20, 5),
)
)
@ddt.unpack
def test_verify_corrupt_signed_data(self, start, length):
def make_corrupt(signature, start, end):
"""
Replaces characters in the given signature starting
at the start offset until the end offset.
"""
return signature[start:end] + 'x' * (end - start) + signature[end:]
self.safe_cookie_data.signature = make_corrupt(
self.safe_cookie_data.signature, start, start + length
)
with self.assert_incorrect_signature_logged():
self.assertFalse(self.safe_cookie_data.verify(self.user_id))
#- Test verify: corrupt signature -#
def test_verify_corrupt_signature(self):
self.safe_cookie_data.signature = 'corrupt_signature'
with self.assert_signature_error_logged('No .* found in value'):
self.assertFalse(self.safe_cookie_data.verify(self.user_id))
#---- Test Digest ----#
def test_digest_success(self):
# Should return the same digest twice.
self.assertEqual(
self.safe_cookie_data._compute_digest(self.user_id),
self.safe_cookie_data._compute_digest(self.user_id),
)
@ddt.data('another_user', 0, None)
def test_digest_incorrect_user(self, incorrect_user):
self.assertNotEqual(
self.safe_cookie_data._compute_digest(self.user_id),
self.safe_cookie_data._compute_digest(incorrect_user)
)
@ddt.data(
*itertools.product(
['version', 'session_id'],
['incorrect_value', 0, None],
)
)
@ddt.unpack
def test_digest_incorrect_field_value(self, field_name, incorrect_field_value):
digest = self.safe_cookie_data._compute_digest(self.user_id),
setattr(self.safe_cookie_data, field_name, incorrect_field_value)
self.assertNotEqual(
digest,
self.safe_cookie_data._compute_digest(self.user_id)
)
openedx/core/djangoapps/safe_sessions/tests/test_utils.py 0 → 100644
"""
Shared test utilities for Safe Sessions tests
"""
from contextlib import contextmanager
from mock import patch
class TestSafeSessionsLogMixin(object):
"""
Test Mixin class with helpers for testing log method
calls in the safe sessions middleware.
"""
@contextmanager
def assert_logged(self, log_string, log_level='error'):
"""
Asserts that the logger was called with the given
log_level and with a regex of the given string.
"""
with patch('openedx.core.djangoapps.safe_sessions.middleware.log.' + log_level) as mock_log:
yield
self.assertTrue(mock_log.called)
self.assertRegexpMatches(mock_log.call_args_list[0][0][0], log_string)
@contextmanager
def assert_not_logged(self):
"""
Asserts that the logger was not called with either a warning
or an error.
"""
with self.assert_no_error_logged():
with self.assert_no_warning_logged():
yield
@contextmanager
def assert_no_warning_logged(self):
"""
Asserts that the logger was not called with a warning.
"""
with patch('openedx.core.djangoapps.safe_sessions.middleware.log.warning') as mock_log:
yield
self.assertFalse(mock_log.called)
@contextmanager
def assert_no_error_logged(self):
"""
Asserts that the logger was not called with an error.
"""
with patch('openedx.core.djangoapps.safe_sessions.middleware.log.error') as mock_log:
yield
self.assertFalse(mock_log.called)
@contextmanager
def assert_signature_error_logged(self, sig_error_string):
"""
Asserts that the logger was called when signature
verification failed on a SafeCookieData object,
either because of a parse error or a cryptographic
failure.
The sig_error_string is the expected additional
context logged with the error.
"""
with self.assert_logged(r'SafeCookieData signature error .*|test_session_id|.*: ' + sig_error_string):
yield
@contextmanager
def assert_incorrect_signature_logged(self):
"""
Asserts that the logger was called when signature
verification failed on a SafeCookieData object
due to a cryptographic failure.
"""
with self.assert_signature_error_logged('Signature .* does not match'):
yield
@contextmanager
def assert_incorrect_user_logged(self):
"""
Asserts that the logger was called upon finding that
the SafeCookieData object is not bound to the expected
user.
"""
with self.assert_logged(r'SafeCookieData .* is not bound to user'):
yield
@contextmanager
def assert_parse_error(self):
"""
Asserts that the logger was called when the
SafeCookieData object could not be parsed successfully.
"""
with self.assert_logged('SafeCookieData BWC parse error'):
yield
@contextmanager
def assert_invalid_session_id(self):
"""
Asserts that the logger was called when a
SafeCookieData was created with a Falsey value for
the session_id.
"""
with self.assert_logged('SafeCookieData not created due to invalid value for session_id'):
yield
@contextmanager
def assert_request_user_mismatch(self, user_at_request, user_at_response):
"""
Asserts that the logger was called when request.user at request
time doesn't match the request.user at response time.
"""
with self.assert_logged(
"SafeCookieData user at request '{}' does not match user at response: '{}'".format(
user_at_request, user_at_response
),
log_level='warning',
):
yield
@contextmanager
def assert_session_user_mismatch(self, user_at_request, user_in_session):
"""
Asserts that the logger was called when request.user at request
time doesn't match the request.user at response time.
"""
with self.assert_logged(
"SafeCookieData user at request '{}' does not match user in session: '{}'".format(
user_at_request, user_in_session
),
):
yield
openedx/core/lib/mobile_utils.py 0 → 100644
"""
Common utilities related to the mobile apps.
"""
import re
from django.conf import settings
def is_request_from_mobile_app(request):
"""
Returns whether the given request was made by an open edX mobile app,
either natively or through the mobile web view.
Note: The check for the user agent works only for mobile apps version 2.1
and higher. Previous apps did not update their user agents to include the
distinguishing string.
The check for the web view is a temporary check that works for mobile apps
version 2.0 and higher. See is_request_from_mobile_web_view for more
information.
Args:
request (HttpRequest)
"""
if is_request_from_mobile_web_view(request):
return True
if getattr(settings, 'MOBILE_APP_USER_AGENT_REGEXES', None):
user_agent = request.META.get('HTTP_USER_AGENT')
if user_agent:
for user_agent_regex in settings.MOBILE_APP_USER_AGENT_REGEXES:
if re.match(user_agent_regex, user_agent):
return True
return False
PATHS_ACCESSED_BY_MOBILE_WITH_SESSION_COOKIES = [
r'^/xblock/{usage_key_string}$'.format(usage_key_string=settings.USAGE_KEY_PATTERN),
]
def is_request_from_mobile_web_view(request):
"""
Returns whether the given request was made by an open edX mobile web
view using a session cookie.
Args:
request (HttpRequest)
"""
# TODO (MA-1825): This is a TEMPORARY HACK until all of the version 2.0
# iOS mobile apps have updated. The earlier versions didn't update their
# user agents so we are checking for the specific URLs that are
# accessed through the mobile web view.
for mobile_path in PATHS_ACCESSED_BY_MOBILE_WITH_SESSION_COOKIES:
if re.match(mobile_path, request.path):
return True
return False
openedx/tests/xblock_integration/test_recommender.py
......@@ -120,6 +120,7 @@ class TestRecommender(SharedModuleStoreTestCase, LoginEnrollmentTestCase):
username = "u{}".format(idx)
self.create_account(username, student['email'], student['password'])
self.activate_user(student['email'])
self.logout()
self.staff_user = GlobalStaffFactory()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment