# -*- coding: utf-8 -*- # Copyright (C) 2010-2020 RhodeCode GmbH # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License, version 3 # (only), as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # # This program is dual-licensed. If you wish to learn more about the # RhodeCode Enterprise Edition, including its added features, Support services, # and proprietary license terms, please see https://rhodecode.com/licenses/ import mock import pytest from rhodecode.lib import helpers as h from rhodecode.model.db import User, Gist from rhodecode.model.gist import GistModel from rhodecode.model.meta import Session from rhodecode.tests import ( TEST_USER_ADMIN_LOGIN, TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS, TestController, assert_session_flash) def route_path(name, params=None, **kwargs): import urllib from rhodecode.apps._base import ADMIN_PREFIX base_url = { 'gists_show': ADMIN_PREFIX + '/gists', 'gists_new': ADMIN_PREFIX + '/gists/new', 'gists_create': ADMIN_PREFIX + '/gists/create', 'gist_show': ADMIN_PREFIX + '/gists/{gist_id}', 'gist_delete': ADMIN_PREFIX + '/gists/{gist_id}/delete', 'gist_edit': ADMIN_PREFIX + '/gists/{gist_id}/edit', 'gist_edit_check_revision': ADMIN_PREFIX + '/gists/{gist_id}/edit/check_revision', 'gist_update': ADMIN_PREFIX + '/gists/{gist_id}/update', 'gist_show_rev': ADMIN_PREFIX + '/gists/{gist_id}/rev/{revision}', 'gist_show_formatted': ADMIN_PREFIX + '/gists/{gist_id}/rev/{revision}/{format}', 'gist_show_formatted_path': ADMIN_PREFIX + '/gists/{gist_id}/rev/{revision}/{format}/{f_path}', }[name].format(**kwargs) if params: base_url = '{}?{}'.format(base_url, urllib.urlencode(params)) return base_url class GistUtility(object): def __init__(self): self._gist_ids = [] def __call__( self, f_name, content='some gist', lifetime=-1, description='gist-desc', gist_type='public', acl_level=Gist.GIST_PUBLIC, owner=TEST_USER_ADMIN_LOGIN): gist_mapping = { f_name: {'content': content} } user = User.get_by_username(owner) gist = GistModel().create( description, owner=user, gist_mapping=gist_mapping, gist_type=gist_type, lifetime=lifetime, gist_acl_level=acl_level) Session().commit() self._gist_ids.append(gist.gist_id) return gist def cleanup(self): for gist_id in self._gist_ids: gist = Gist.get(gist_id) if gist: Session().delete(gist) Session().commit() @pytest.fixture() def create_gist(request): gist_utility = GistUtility() request.addfinalizer(gist_utility.cleanup) return gist_utility class TestGistsController(TestController): def test_index_empty(self, create_gist): self.log_user() response = self.app.get(route_path('gists_show')) response.mustcontain('data: [],') def test_index(self, create_gist): self.log_user() g1 = create_gist('gist1') g2 = create_gist('gist2', lifetime=1400) g3 = create_gist('gist3', description='gist3-desc') g4 = create_gist('gist4', gist_type='private').gist_access_id response = self.app.get(route_path('gists_show')) response.mustcontain(g1.gist_access_id) response.mustcontain(g2.gist_access_id) response.mustcontain(g3.gist_access_id) response.mustcontain('gist3-desc') response.mustcontain(no=[g4]) # Expiration information should be visible expires_tag = '%s' % h.age_component( h.time_to_utcdatetime(g2.gist_expires)) response.mustcontain(expires_tag.replace('"', '\\"')) def test_index_private_gists(self, create_gist): self.log_user() gist = create_gist('gist5', gist_type='private') response = self.app.get(route_path('gists_show', params=dict(private=1))) # and privates response.mustcontain(gist.gist_access_id) def test_index_show_all(self, create_gist): self.log_user() create_gist('gist1') create_gist('gist2', lifetime=1400) create_gist('gist3', description='gist3-desc') create_gist('gist4', gist_type='private') response = self.app.get(route_path('gists_show', params=dict(all=1))) assert len(GistModel.get_all()) == 4 # and privates for gist in GistModel.get_all(): response.mustcontain(gist.gist_access_id) def test_index_show_all_hidden_from_regular(self, create_gist): self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) create_gist('gist2', gist_type='private') create_gist('gist3', gist_type='private') create_gist('gist4', gist_type='private') response = self.app.get(route_path('gists_show', params=dict(all=1))) assert len(GistModel.get_all()) == 3 # since we don't have access to private in this view, we # should see nothing for gist in GistModel.get_all(): response.mustcontain(no=[gist.gist_access_id]) def test_create(self): self.log_user() response = self.app.post( route_path('gists_create'), params={'lifetime': -1, 'content': 'gist test', 'filename': 'foo', 'gist_type': 'public', 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, 'csrf_token': self.csrf_token}, status=302) response = response.follow() response.mustcontain('added file: foo') response.mustcontain('gist test') def test_create_with_path_with_dirs(self): self.log_user() response = self.app.post( route_path('gists_create'), params={'lifetime': -1, 'content': 'gist test', 'filename': '/home/foo', 'gist_type': 'public', 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, 'csrf_token': self.csrf_token}, status=200) response.mustcontain('Filename /home/foo cannot be inside a directory') def test_access_expired_gist(self, create_gist): self.log_user() gist = create_gist('never-see-me') gist.gist_expires = 0 # 1970 Session().add(gist) Session().commit() self.app.get(route_path('gist_show', gist_id=gist.gist_access_id), status=404) def test_create_private(self): self.log_user() response = self.app.post( route_path('gists_create'), params={'lifetime': -1, 'content': 'private gist test', 'filename': 'private-foo', 'gist_type': 'private', 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, 'csrf_token': self.csrf_token}, status=302) response = response.follow() response.mustcontain('added file: private-foo<') response.mustcontain('private gist test') response.mustcontain('Private Gist') # Make sure private gists are not indexed by robots response.mustcontain( '<meta name="robots" content="noindex, nofollow">') def test_create_private_acl_private(self): self.log_user() response = self.app.post( route_path('gists_create'), params={'lifetime': -1, 'content': 'private gist test', 'filename': 'private-foo', 'gist_type': 'private', 'gist_acl_level': Gist.ACL_LEVEL_PRIVATE, 'csrf_token': self.csrf_token}, status=302) response = response.follow() response.mustcontain('added file: private-foo<') response.mustcontain('private gist test') response.mustcontain('Private Gist') # Make sure private gists are not indexed by robots response.mustcontain( '<meta name="robots" content="noindex, nofollow">') def test_create_with_description(self): self.log_user() response = self.app.post( route_path('gists_create'), params={'lifetime': -1, 'content': 'gist test', 'filename': 'foo-desc', 'description': 'gist-desc', 'gist_type': 'public', 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, 'csrf_token': self.csrf_token}, status=302) response = response.follow() response.mustcontain('added file: foo-desc') response.mustcontain('gist test') response.mustcontain('gist-desc') def test_create_public_with_anonymous_access(self): self.log_user() params = { 'lifetime': -1, 'content': 'gist test', 'filename': 'foo-desc', 'description': 'gist-desc', 'gist_type': 'public', 'gist_acl_level': Gist.ACL_LEVEL_PUBLIC, 'csrf_token': self.csrf_token } response = self.app.post( route_path('gists_create'), params=params, status=302) self.logout_user() response = response.follow() response.mustcontain('added file: foo-desc') response.mustcontain('gist test') response.mustcontain('gist-desc') def test_new(self): self.log_user() self.app.get(route_path('gists_new')) def test_delete(self, create_gist): self.log_user() gist = create_gist('delete-me') response = self.app.post( route_path('gist_delete', gist_id=gist.gist_id), params={'csrf_token': self.csrf_token}) assert_session_flash(response, 'Deleted gist %s' % gist.gist_id) def test_delete_normal_user_his_gist(self, create_gist): self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) gist = create_gist('delete-me', owner=TEST_USER_REGULAR_LOGIN) response = self.app.post( route_path('gist_delete', gist_id=gist.gist_id), params={'csrf_token': self.csrf_token}) assert_session_flash(response, 'Deleted gist %s' % gist.gist_id) def test_delete_normal_user_not_his_own_gist(self, create_gist): self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) gist = create_gist('delete-me-2') self.app.post( route_path('gist_delete', gist_id=gist.gist_id), params={'csrf_token': self.csrf_token}, status=404) def test_show(self, create_gist): gist = create_gist('gist-show-me') response = self.app.get(route_path('gist_show', gist_id=gist.gist_access_id)) response.mustcontain('added file: gist-show-me<') assert_response = response.assert_response() assert_response.element_equals_to( 'div.rc-user span.user', '<a href="/_profiles/test_admin">test_admin</a>') response.mustcontain('gist-desc') def test_show_without_hg(self, create_gist): with mock.patch( 'rhodecode.lib.vcs.settings.ALIASES', ['git']): gist = create_gist('gist-show-me-again') self.app.get( route_path('gist_show', gist_id=gist.gist_access_id), status=200) def test_show_acl_private(self, create_gist): gist = create_gist('gist-show-me-only-when-im-logged-in', acl_level=Gist.ACL_LEVEL_PRIVATE) self.app.get( route_path('gist_show', gist_id=gist.gist_access_id), status=404) # now we log-in we should see thi gist self.log_user() response = self.app.get( route_path('gist_show', gist_id=gist.gist_access_id)) response.mustcontain('added file: gist-show-me-only-when-im-logged-in') assert_response = response.assert_response() assert_response.element_equals_to( 'div.rc-user span.user', '<a href="/_profiles/test_admin">test_admin</a>') response.mustcontain('gist-desc') def test_show_as_raw(self, create_gist): gist = create_gist('gist-show-me', content='GIST CONTENT') response = self.app.get( route_path('gist_show_formatted', gist_id=gist.gist_access_id, revision='tip', format='raw')) assert response.body == 'GIST CONTENT' def test_show_as_raw_individual_file(self, create_gist): gist = create_gist('gist-show-me-raw', content='GIST BODY') response = self.app.get( route_path('gist_show_formatted_path', gist_id=gist.gist_access_id, format='raw', revision='tip', f_path='gist-show-me-raw')) assert response.body == 'GIST BODY' def test_edit_page(self, create_gist): self.log_user() gist = create_gist('gist-for-edit', content='GIST EDIT BODY') response = self.app.get(route_path('gist_edit', gist_id=gist.gist_access_id)) response.mustcontain('GIST EDIT BODY') def test_edit_page_non_logged_user(self, create_gist): gist = create_gist('gist-for-edit', content='GIST EDIT BODY') self.app.get(route_path('gist_edit', gist_id=gist.gist_access_id), status=302) def test_edit_normal_user_his_gist(self, create_gist): self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) gist = create_gist('gist-for-edit', owner=TEST_USER_REGULAR_LOGIN) self.app.get(route_path('gist_edit', gist_id=gist.gist_access_id, status=200)) def test_edit_normal_user_not_his_own_gist(self, create_gist): self.log_user(TEST_USER_REGULAR_LOGIN, TEST_USER_REGULAR_PASS) gist = create_gist('delete-me') self.app.get(route_path('gist_edit', gist_id=gist.gist_access_id), status=404) def test_user_first_name_is_escaped(self, user_util, create_gist): xss_atack_string = '"><script>alert(\'First Name\')</script>' xss_escaped_string = h.html_escape(h.escape(xss_atack_string)) password = 'test' user = user_util.create_user( firstname=xss_atack_string, password=password) create_gist('gist', gist_type='public', owner=user.username) response = self.app.get(route_path('gists_show')) response.mustcontain(xss_escaped_string) def test_user_last_name_is_escaped(self, user_util, create_gist): xss_atack_string = '"><script>alert(\'Last Name\')</script>' xss_escaped_string = h.html_escape(h.escape(xss_atack_string)) password = 'test' user = user_util.create_user( lastname=xss_atack_string, password=password) create_gist('gist', gist_type='public', owner=user.username) response = self.app.get(route_path('gists_show')) response.mustcontain(xss_escaped_string)