diff options
| author | Joshua Peek <josh@joshpeek.com> | 2008-12-15 16:33:31 -0600 |
|---|---|---|
| committer | Joshua Peek <josh@joshpeek.com> | 2008-12-15 16:33:31 -0600 |
| commit | ed708307137c811d14e5fd2cb4ea550add381a82 (patch) | |
| tree | 31cb7df0a489bb4bbb0a9bc9edb24a70a869a0d1 /actionpack/test/controller | |
| parent | e8c1915416579a3840573ca2c80822d96cb31823 (diff) | |
| download | rails-ed708307137c811d14e5fd2cb4ea550add381a82.tar.gz rails-ed708307137c811d14e5fd2cb4ea550add381a82.tar.bz2 rails-ed708307137c811d14e5fd2cb4ea550add381a82.zip | |
Switch to Rack based session stores.
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/integration_test.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/integration_upload_test.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/rack_test.rb | 26 | ||||
| -rw-r--r-- | actionpack/test/controller/session/cookie_store_test.rb | 348 | ||||
| -rw-r--r-- | actionpack/test/controller/session/mem_cache_store_test.rb | 207 | ||||
| -rw-r--r-- | actionpack/test/controller/session_fixation_test.rb | 168 | ||||
| -rw-r--r-- | actionpack/test/controller/session_management_test.rb | 178 | ||||
| -rw-r--r-- | actionpack/test/controller/webservice_test.rb | 2 |
8 files changed, 239 insertions, 694 deletions
diff --git a/actionpack/test/controller/integration_test.rb b/actionpack/test/controller/integration_test.rb index 6a793c8bb6..fd985a9a46 100644 --- a/actionpack/test/controller/integration_test.rb +++ b/actionpack/test/controller/integration_test.rb @@ -231,8 +231,6 @@ end class IntegrationProcessTest < ActionController::IntegrationTest class IntegrationController < ActionController::Base - session :off - def get respond_to do |format| format.html { render :text => "OK", :status => 200 } diff --git a/actionpack/test/controller/integration_upload_test.rb b/actionpack/test/controller/integration_upload_test.rb index b1dd6a6341..39d2e164e4 100644 --- a/actionpack/test/controller/integration_upload_test.rb +++ b/actionpack/test/controller/integration_upload_test.rb @@ -6,8 +6,6 @@ unless defined? ApplicationController end class UploadTestController < ActionController::Base - session :off - def update SessionUploadTest.last_request_type = ActionController::Base.param_parsers[request.content_type] render :text => "got here" diff --git a/actionpack/test/controller/rack_test.rb b/actionpack/test/controller/rack_test.rb index 641ef9626e..e2ec686c41 100644 --- a/actionpack/test/controller/rack_test.rb +++ b/actionpack/test/controller/rack_test.rb @@ -229,7 +229,7 @@ end class RackResponseTest < BaseRackTest def setup super - @response = ActionController::RackResponse.new(@request) + @response = ActionController::RackResponse.new end def test_simple_output @@ -265,34 +265,12 @@ class RackResponseTest < BaseRackTest body.each { |part| parts << part } assert_equal ["0", "1", "2", "3", "4"], parts end - - def test_set_session_cookie - cookie = CGI::Cookie.new({"name" => "name", "value" => "Josh"}) - @request.cgi.send :instance_variable_set, '@output_cookies', [cookie] - - @response.body = "Hello, World!" - @response.prepare! - - status, headers, body = @response.out - assert_equal "200 OK", status - assert_equal({ - "Content-Type" => "text/html; charset=utf-8", - "Cache-Control" => "private, max-age=0, must-revalidate", - "ETag" => '"65a8e27d8879283831b664bd8b7f0ad4"', - "Set-Cookie" => ["name=Josh; path="], - "Content-Length" => "13" - }, headers) - - parts = [] - body.each { |part| parts << part } - assert_equal ["Hello, World!"], parts - end end class RackResponseHeadersTest < BaseRackTest def setup super - @response = ActionController::RackResponse.new(@request) + @response = ActionController::RackResponse.new @response.headers['Status'] = "200 OK" end diff --git a/actionpack/test/controller/session/cookie_store_test.rb b/actionpack/test/controller/session/cookie_store_test.rb index b5f14acc1f..8098059d46 100644 --- a/actionpack/test/controller/session/cookie_store_test.rb +++ b/actionpack/test/controller/session/cookie_store_test.rb @@ -1,298 +1,146 @@ require 'abstract_unit' require 'stringio' +class CookieStoreTest < ActionController::IntegrationTest + SessionKey = '_myapp_session' + SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33' -class CGI::Session::CookieStore - def ensure_secret_secure_with_test_hax(secret) - if secret == CookieStoreTest.default_session_options['secret'] - return true - else - ensure_secret_secure_without_test_hax(secret) - end - end - alias_method_chain :ensure_secret_secure, :test_hax -end + DispatcherApp = ActionController::Dispatcher.new + CookieStoreApp = ActionController::Session::CookieStore.new(DispatcherApp, + :key => SessionKey, :secret => SessionSecret) + SignedBar = "BAh7BjoIZm9vIghiYXI%3D--" + + "fef868465920f415f2c0652d6910d3af288a0367" -# Expose for tests. -class CGI - attr_reader :output_cookies, :output_hidden - - class Session - attr_reader :dbman + class TestController < ActionController::Base + def no_session_access + head :ok + end - class CookieStore - attr_reader :data, :original, :cookie_options + def set_session_value + session[:foo] = "bar" + head :ok end - end -end -class CookieStoreTest < Test::Unit::TestCase - def self.default_session_options - { 'database_manager' => CGI::Session::CookieStore, - 'session_key' => '_myapp_session', - 'secret' => 'Keep it secret; keep it safe.', - 'no_cookies' => true, - 'no_hidden' => true, - 'session_http_only' => true - } - end + def get_session_value + render :text => "foo: #{session[:foo].inspect}" + end - def self.cookies - { :empty => ['BAgw--0686dcaccc01040f4bd4f35fe160afe9bc04c330', {}], - :a_one => ['BAh7BiIGYWkG--5689059497d7f122a7119f171aef81dcfd807fec', { 'a' => 1 }], - :typical => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7BiILbm90aWNlIgxIZXkgbm93--9d20154623b9eeea05c62ab819be0e2483238759', { 'user_id' => 123, 'flash' => { 'notice' => 'Hey now' }}], - :flashed => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA==--bf9785a666d3c4ac09f7fe3353496b437546cfbf', { 'user_id' => 123, 'flash' => {} }] - } + def raise_data_overflow + session[:foo] = 'bye!' * 1024 + head :ok + end + def rescue_action(e) raise end end def setup - ENV.delete('HTTP_COOKIE') + @integration_session = open_session(CookieStoreApp) end def test_raises_argument_error_if_missing_session_key - [nil, ''].each do |blank| - assert_raise(ArgumentError, blank.inspect) { new_session 'session_key' => blank } - end + assert_raise(ArgumentError, nil.inspect) { + ActionController::Session::CookieStore.new(nil, + :key => nil, :secret => SessionSecret) + } + + assert_raise(ArgumentError, ''.inspect) { + ActionController::Session::CookieStore.new(nil, + :key => '', :secret => SessionSecret) + } end def test_raises_argument_error_if_missing_secret - [nil, ''].each do |blank| - assert_raise(ArgumentError, blank.inspect) { new_session 'secret' => blank } - end - end + assert_raise(ArgumentError, nil.inspect) { + ActionController::Session::CookieStore.new(nil, + :key => SessionKey, :secret => nil) + } - def test_raises_argument_error_if_secret_is_probably_insecure - ["password", "secret", "12345678901234567890123456789"].each do |blank| - assert_raise(ArgumentError, blank.inspect) { new_session 'secret' => blank } - end + assert_raise(ArgumentError, ''.inspect) { + ActionController::Session::CookieStore.new(nil, + :key => SessionKey, :secret => '') + } end - def test_reconfigures_session_to_omit_id_cookie_and_hidden_field - new_session do |session| - assert_equal true, @options['no_hidden'] - assert_equal true, @options['no_cookies'] - end - end + def test_raises_argument_error_if_secret_is_probably_insecure + assert_raise(ArgumentError, "password".inspect) { + ActionController::Session::CookieStore.new(nil, + :key => SessionKey, :secret => "password") + } - def test_restore_unmarshals_missing_cookie_as_empty_hash - new_session do |session| - assert_nil session.dbman.data - assert_nil session['test'] - assert_equal Hash.new, session.dbman.data - end - end + assert_raise(ArgumentError, "secret".inspect) { + ActionController::Session::CookieStore.new(nil, + :key => SessionKey, :secret => "secret") + } - def test_restore_unmarshals_good_cookies - cookies(:empty, :a_one, :typical).each do |value, expected| - set_cookie! value - new_session do |session| - assert_nil session['lazy loads the data hash'] - assert_equal expected, session.dbman.data - end - end + assert_raise(ArgumentError, "12345678901234567890123456789".inspect) { + ActionController::Session::CookieStore.new(nil, + :key => SessionKey, :secret => "12345678901234567890123456789") + } end - def test_restore_deletes_tampered_cookies - set_cookie! 'a--b' - new_session do |session| - assert_raise(CGI::Session::CookieStore::TamperedWithCookie) { session['fail'] } - assert_cookie_deleted session - end + def test_setting_session_value + with_test_route_set do + get '/set_session_value' + assert_response :success + assert_equal ["_myapp_session=#{SignedBar}; path=/"], + headers['Set-Cookie'] + end end - def test_close_doesnt_write_cookie_if_data_is_blank - new_session do |session| - assert_no_cookies session - session.close - assert_no_cookies session - end + def test_getting_session_value + with_test_route_set do + cookies[SessionKey] = SignedBar + get '/get_session_value' + assert_response :success + assert_equal 'foo: "bar"', response.body + end end - def test_close_doesnt_write_cookie_if_data_is_unchanged - set_cookie! cookie_value(:typical) - new_session do |session| - assert_no_cookies session - session['user_id'] = session['user_id'] - session.close - assert_no_cookies session + def test_disregards_tampered_sessions + with_test_route_set do + cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780" + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body end end def test_close_raises_when_data_overflows - set_cookie! cookie_value(:empty) - new_session do |session| - session['overflow'] = 'bye!' * 1024 - assert_raise(CGI::Session::CookieStore::CookieOverflow) { session.close } - assert_no_cookies session - end - end - - def test_close_marshals_and_writes_cookie - set_cookie! cookie_value(:typical) - new_session do |session| - assert_no_cookies session - session['flash'] = {} - assert_no_cookies session - session.close - assert_equal 1, session.cgi.output_cookies.size - cookie = session.cgi.output_cookies.first - assert_cookie cookie, cookie_value(:flashed) - assert_http_only_cookie cookie - assert_secure_cookie cookie, false - end - end - - def test_writes_non_secure_cookie_by_default - set_cookie! cookie_value(:typical) - new_session do |session| - session['flash'] = {} - session.close - cookie = session.cgi.output_cookies.first - assert_secure_cookie cookie,false - end - end - - def test_writes_secure_cookie - set_cookie! cookie_value(:typical) - new_session('session_secure'=>true) do |session| - session['flash'] = {} - session.close - cookie = session.cgi.output_cookies.first - assert_secure_cookie cookie + with_test_route_set do + assert_raise(ActionController::Session::CookieStore::CookieOverflow) { + get '/raise_data_overflow' + } end end - def test_http_only_cookie_by_default - set_cookie! cookie_value(:typical) - new_session do |session| - session['flash'] = {} - session.close - cookie = session.cgi.output_cookies.first - assert_http_only_cookie cookie + def test_doesnt_write_session_cookie_if_session_is_not_accessed + with_test_route_set do + get '/no_session_access' + assert_response :success + assert_equal [], headers['Set-Cookie'] end end - def test_overides_http_only_cookie - set_cookie! cookie_value(:typical) - new_session('session_http_only'=>false) do |session| - session['flash'] = {} - session.close - cookie = session.cgi.output_cookies.first - assert_http_only_cookie cookie, false - end - end - - def test_delete_writes_expired_empty_cookie_and_sets_data_to_nil - set_cookie! cookie_value(:typical) - new_session do |session| - assert_no_cookies session - session.delete - assert_cookie_deleted session - - # @data is set to nil so #close doesn't send another cookie. - session.close - assert_cookie_deleted session - end - end - - def test_new_session_doesnt_reuse_deleted_cookie_data - set_cookie! cookie_value(:typical) - - new_session do |session| - assert_not_nil session['user_id'] - session.delete - - # Start a new session using the same CGI instance. - post_delete_session = CGI::Session.new(session.cgi, self.class.default_session_options) - assert_nil post_delete_session['user_id'] + def test_doesnt_write_session_cookie_if_session_is_unchanged + with_test_route_set do + cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--" + + "fef868465920f415f2c0652d6910d3af288a0367" + get '/no_session_access' + assert_response :success + assert_equal [], headers['Set-Cookie'] end end private - def assert_no_cookies(session) - assert_nil session.cgi.output_cookies, session.cgi.output_cookies.inspect - end - - def assert_cookie_deleted(session, message = 'Expected session deletion cookie to be set') - assert_equal 1, session.cgi.output_cookies.size - cookie = session.cgi.output_cookies.first - assert_cookie cookie, nil, 1.year.ago.to_date, "#{message}: #{cookie.name} => #{cookie.value}" - end - - def assert_cookie(cookie, value = nil, expires = nil, message = nil) - assert_equal '_myapp_session', cookie.name, message - assert_equal [value].compact, cookie.value, message - assert_equal expires, cookie.expires ? cookie.expires.to_date : cookie.expires, message - end - - def assert_secure_cookie(cookie,value=true) - assert cookie.secure==value - end - - def assert_http_only_cookie(cookie,value=true) - assert cookie.http_only==value - end - - def cookies(*which) - self.class.cookies.values_at(*which) - end - - def cookie_value(which) - self.class.cookies[which].first - end - - def set_cookie!(value) - ENV['HTTP_COOKIE'] = "_myapp_session=#{value}" - end - - def new_session(options = {}) - with_cgi do |cgi| - assert_nil cgi.output_hidden, "Output hidden params should be empty: #{cgi.output_hidden.inspect}" - assert_nil cgi.output_cookies, "Output cookies should be empty: #{cgi.output_cookies.inspect}" - - @options = self.class.default_session_options.merge(options) - session = CGI::Session.new(cgi, @options) - ObjectSpace.undefine_finalizer(session) - - assert_nil cgi.output_hidden, "Output hidden params should be empty: #{cgi.output_hidden.inspect}" - assert_nil cgi.output_cookies, "Output cookies should be empty: #{cgi.output_cookies.inspect}" - - yield session if block_given? - session + def with_test_route_set + with_routing do |set| + set.draw do |map| + map.with_options :controller => "cookie_store_test/test" do |c| + c.connect "/:action" + end + end + yield end end - - def with_cgi - ENV['REQUEST_METHOD'] = 'GET' - ENV['HTTP_HOST'] = 'example.com' - ENV['QUERY_STRING'] = '' - - cgi = CGI.new('query', StringIO.new('')) - yield cgi if block_given? - cgi - end -end - - -class CookieStoreWithBlockAsSecretTest < CookieStoreTest - def self.default_session_options - CookieStoreTest.default_session_options.merge 'secret' => Proc.new { 'Keep it secret; keep it safe.' } - end -end - - -class CookieStoreWithMD5DigestTest < CookieStoreTest - def self.default_session_options - CookieStoreTest.default_session_options.merge 'digest' => 'MD5' - end - - def self.cookies - { :empty => ['BAgw--0415cc0be9579b14afc22ee2d341aa21', {}], - :a_one => ['BAh7BiIGYWkG--5a0ed962089cc6600ff44168a5d59bc8', { 'a' => 1 }], - :typical => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7BiILbm90aWNlIgxIZXkgbm93--f426763f6ef435b3738b493600db8d64', { 'user_id' => 123, 'flash' => { 'notice' => 'Hey now' }}], - :flashed => ['BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA==--0af9156650dab044a53a91a4ddec2c51', { 'user_id' => 123, 'flash' => {} }], - :double_escaped => [CGI.escape('BAh7ByIMdXNlcl9pZGkBeyIKZmxhc2h7AA%3D%3D--0af9156650dab044a53a91a4ddec2c51'), { 'user_id' => 123, 'flash' => {} }] } - end end diff --git a/actionpack/test/controller/session/mem_cache_store_test.rb b/actionpack/test/controller/session/mem_cache_store_test.rb index 9ab927a01f..52e31b78da 100644 --- a/actionpack/test/controller/session/mem_cache_store_test.rb +++ b/actionpack/test/controller/session/mem_cache_store_test.rb @@ -1,178 +1,81 @@ require 'abstract_unit' -class CGI::Session - def cache - dbman.instance_variable_get(:@cache) - end -end - - -uses_mocha 'MemCacheStore tests' do -if defined? MemCache::MemCacheError +# You need to start a memcached server inorder to run these tests +class MemCacheStoreTest < ActionController::IntegrationTest + class TestController < ActionController::Base + def no_session_access + head :ok + end -class MemCacheStoreTest < Test::Unit::TestCase - SESSION_KEY_RE = /^session:[0-9a-z]+/ - CONN_TEST_KEY = 'connection_test' - MULTI_TEST_KEY = '0123456789' - TEST_DATA = 'Hello test' + def set_session_value + session[:foo] = "bar" + head :ok + end - def self.get_mem_cache_if_available - begin - require 'memcache' - cache = MemCache.new('127.0.0.1') - # Test availability of the connection - cache.set(CONN_TEST_KEY, 1) - unless cache.get(CONN_TEST_KEY) == 1 - puts 'Warning: memcache server available but corrupted.' - return nil - end - rescue LoadError, MemCache::MemCacheError - return nil + def get_session_value + render :text => "foo: #{session[:foo].inspect}" end - return cache + + def rescue_action(e) raise end end - CACHE = get_mem_cache_if_available + begin + DispatcherApp = ActionController::Dispatcher.new + MemCacheStoreApp = ActionController::Session::MemCacheStore.new( + DispatcherApp, :key => '_session_id') - def test_initialization - assert_raise(ArgumentError) { new_session('session_id' => '!invalid_id') } - new_session do |s| - assert_equal Hash.new, s.cache.get('session:' + s.session_id) + def setup + @integration_session = open_session(MemCacheStoreApp) end - end + def test_setting_and_getting_session_value + with_test_route_set do + get '/set_session_value' + assert_response :success + assert cookies['_session_id'] - def test_storage - d = rand(0xffff) - new_session do |s| - session_key = 'session:' + s.session_id - unless CACHE - s.cache.expects(:get).with(session_key) \ - .returns(:test => d) - s.cache.expects(:set).with(session_key, - has_entry(:test, d), - 0) - end - s[:test] = d - s.close - assert_equal d, s.cache.get(session_key)[:test] - assert_equal d, s[:test] - end - end - - def test_deletion - new_session do |s| - session_key = 'session:' + s.session_id - unless CACHE - s.cache.expects(:delete) - s.cache.expects(:get).with(session_key) \ - .returns(nil) + get '/get_session_value' + assert_response :success + assert_equal 'foo: "bar"', response.body end - s[:test] = rand(0xffff) - s.delete - assert_nil s.cache.get(session_key) end - end - - def test_other_session_retrieval - new_session do |sa| - unless CACHE - sa.cache.expects(:set).with('session:' + sa.session_id, - has_entry(:test, TEST_DATA), - 0) - end - sa[:test] = TEST_DATA - sa.close - new_session('session_id' => sa.session_id) do |sb| - unless CACHE - sb.cache.expects(:[]).with('session:' + sb.session_id) \ - .returns(:test => TEST_DATA) - end - assert_equal(TEST_DATA, sb[:test]) + def test_getting_nil_session_value + with_test_route_set do + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body end end - end + def test_prevents_session_fixation + with_test_route_set do + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body + session_id = cookies['_session_id'] - def test_multiple_sessions - s_slots = Array.new(10) - operation = :write - last_data = nil - reads = writes = 0 - 50.times do - current = rand(10) - s_slots[current] ||= new_session('session_id' => MULTI_TEST_KEY, - 'new_session' => true) - s = s_slots[current] - case operation - when :write - last_data = rand(0xffff) - unless CACHE - s.cache.expects(:set).with('session:' + MULTI_TEST_KEY, - { :test => last_data }, - 0) - end - s[:test] = last_data - s.close - writes += 1 - when :read - # Make CGI::Session#[] think there was no data retrieval yet. - # Normally, the session caches the data during its lifetime. - s.instance_variable_set(:@data, nil) - unless CACHE - s.cache.expects(:[]).with('session:' + MULTI_TEST_KEY) \ - .returns(:test => last_data) - end - d = s[:test] - assert_equal(last_data, d, "OK reads: #{reads}, OK writes: #{writes}") - reads += 1 + reset! + + get '/set_session_value', :_session_id => session_id + assert_response :success + assert_equal nil, cookies['_session_id'] end - operation = rand(5) == 0 ? :write : :read end + rescue LoadError, RuntimeError + $stderr.puts "Skipping MemCacheStoreTest tests. Start memcached and try again." end - - private - def obtain_session_options - options = { 'database_manager' => CGI::Session::MemCacheStore, - 'session_key' => '_test_app_session' - } - # if don't have running memcache server we use mock instead - unless CACHE - options['cache'] = c = mock - c.stubs(:[]).with(regexp_matches(SESSION_KEY_RE)) - c.stubs(:get).with(regexp_matches(SESSION_KEY_RE)) \ - .returns(Hash.new) - c.stubs(:add).with(regexp_matches(SESSION_KEY_RE), - instance_of(Hash), - 0) - end - options - end - - - def new_session(options = {}) - with_cgi do |cgi| - @options = obtain_session_options.merge(options) - session = CGI::Session.new(cgi, @options) - yield session if block_given? - return session + def with_test_route_set + with_routing do |set| + set.draw do |map| + map.with_options :controller => "mem_cache_store_test/test" do |c| + c.connect "/:action" + end + end + yield + end end - end - - def with_cgi - ENV['REQUEST_METHOD'] = 'GET' - ENV['HTTP_HOST'] = 'example.com' - ENV['QUERY_STRING'] = '' - - cgi = CGI.new('query', StringIO.new('')) - yield cgi if block_given? - cgi - end end - -end # defined? MemCache -end # uses_mocha diff --git a/actionpack/test/controller/session_fixation_test.rb b/actionpack/test/controller/session_fixation_test.rb index e8dc8bd295..9e5b45dc3d 100644 --- a/actionpack/test/controller/session_fixation_test.rb +++ b/actionpack/test/controller/session_fixation_test.rb @@ -1,84 +1,84 @@ -require 'abstract_unit' - -class SessionFixationTest < ActionController::IntegrationTest - class TestController < ActionController::Base - session :session_key => '_myapp_session_id', - :secret => CGI::Session.generate_unique_id, - :except => :default_session_key - - session :cookie_only => false, - :only => :allow_session_fixation - - def default_session_key - render :text => "default_session_key" - end - - def custom_session_key - render :text => "custom_session_key: #{params[:id]}" - end - - def allow_session_fixation - render :text => "allow_session_fixation" - end - - def rescue_action(e) raise end - end - - def setup - @controller = TestController.new - end - - def test_should_be_able_to_make_a_successful_request - with_test_route_set do - assert_nothing_raised do - get '/custom_session_key', :id => "1" - end - assert_equal 'custom_session_key: 1', @controller.response.body - assert_not_nil @controller.session - end - end - - def test_should_catch_session_fixation_attempt - with_test_route_set do - assert_raises(ActionController::RackRequest::SessionFixationAttempt) do - get '/custom_session_key', :_myapp_session_id => "42" - end - assert_nil @controller.session - end - end - - def test_should_not_catch_session_fixation_attempt_when_cookie_only_setting_is_disabled - with_test_route_set do - assert_nothing_raised do - get '/allow_session_fixation', :_myapp_session_id => "42" - end - assert !@controller.response.body.blank? - assert_not_nil @controller.session - end - end - - def test_should_catch_session_fixation_attempt_with_default_session_key - # using the default session_key is not possible with cookie store - ActionController::Base.session_store = :p_store - - with_test_route_set do - assert_raises ActionController::RackRequest::SessionFixationAttempt do - get '/default_session_key', :_session_id => "42" - end - assert_nil @controller.response - assert_nil @controller.session - end - end - - private - def with_test_route_set - with_routing do |set| - set.draw do |map| - map.with_options :controller => "session_fixation_test/test" do |c| - c.connect "/:action" - end - end - yield - end - end -end +# require 'abstract_unit' +# +# class SessionFixationTest < ActionController::IntegrationTest +# class TestController < ActionController::Base +# session :session_key => '_myapp_session_id', +# :secret => CGI::Session.generate_unique_id, +# :except => :default_session_key +# +# session :cookie_only => false, +# :only => :allow_session_fixation +# +# def default_session_key +# render :text => "default_session_key" +# end +# +# def custom_session_key +# render :text => "custom_session_key: #{params[:id]}" +# end +# +# def allow_session_fixation +# render :text => "allow_session_fixation" +# end +# +# def rescue_action(e) raise end +# end +# +# def setup +# @controller = TestController.new +# end +# +# def test_should_be_able_to_make_a_successful_request +# with_test_route_set do +# assert_nothing_raised do +# get '/custom_session_key', :id => "1" +# end +# assert_equal 'custom_session_key: 1', @controller.response.body +# assert_not_nil @controller.session +# end +# end +# +# def test_should_catch_session_fixation_attempt +# with_test_route_set do +# assert_raises(ActionController::RackRequest::SessionFixationAttempt) do +# get '/custom_session_key', :_myapp_session_id => "42" +# end +# assert_nil @controller.session +# end +# end +# +# def test_should_not_catch_session_fixation_attempt_when_cookie_only_setting_is_disabled +# with_test_route_set do +# assert_nothing_raised do +# get '/allow_session_fixation', :_myapp_session_id => "42" +# end +# assert !@controller.response.body.blank? +# assert_not_nil @controller.session +# end +# end +# +# def test_should_catch_session_fixation_attempt_with_default_session_key +# # using the default session_key is not possible with cookie store +# ActionController::Base.session_store = :p_store +# +# with_test_route_set do +# assert_raises ActionController::RackRequest::SessionFixationAttempt do +# get '/default_session_key', :_session_id => "42" +# end +# assert_nil @controller.response +# assert_nil @controller.session +# end +# end +# +# private +# def with_test_route_set +# with_routing do |set| +# set.draw do |map| +# map.with_options :controller => "session_fixation_test/test" do |c| +# c.connect "/:action" +# end +# end +# yield +# end +# end +# end diff --git a/actionpack/test/controller/session_management_test.rb b/actionpack/test/controller/session_management_test.rb deleted file mode 100644 index 592b0b549d..0000000000 --- a/actionpack/test/controller/session_management_test.rb +++ /dev/null @@ -1,178 +0,0 @@ -require 'abstract_unit' - -class SessionManagementTest < Test::Unit::TestCase - class SessionOffController < ActionController::Base - session :off - - def show - render :text => "done" - end - - def tell - render :text => "done" - end - end - - class SessionOffOnController < ActionController::Base - session :off - session :on, :only => :tell - - def show - render :text => "done" - end - - def tell - render :text => "done" - end - end - - class TestController < ActionController::Base - session :off, :only => :show - session :session_secure => true, :except => :show - session :off, :only => :conditional, - :if => Proc.new { |r| r.parameters[:ws] } - - def show - render :text => "done" - end - - def tell - render :text => "done" - end - - def conditional - render :text => ">>>#{params[:ws]}<<<" - end - end - - class SpecializedController < SessionOffController - session :disabled => false, :only => :something - - def something - render :text => "done" - end - - def another - render :text => "done" - end - end - - class AssociationCachingTestController < ActionController::Base - class ObjectWithAssociationCache - def initialize - @cached_associations = false - end - - def fetch_associations - @cached_associations = true - end - - def clear_association_cache - @cached_associations = false - end - - def has_cached_associations? - @cached_associations - end - end - - def show - session[:object] = ObjectWithAssociationCache.new - session[:object].fetch_associations - if session[:object].has_cached_associations? - render :text => "has cached associations" - else - render :text => "does not have cached associations" - end - end - - def tell - if session[:object] - if session[:object].has_cached_associations? - render :text => "has cached associations" - else - render :text => "does not have cached associations" - end - else - render :text => "there is no object" - end - end - end - - - def setup - @request, @response = ActionController::TestRequest.new, - ActionController::TestResponse.new - end - - def test_session_off_globally - @controller = SessionOffController.new - get :show - assert_equal false, @request.session_options - get :tell - assert_equal false, @request.session_options - end - - def test_session_off_then_on_globally - @controller = SessionOffOnController.new - get :show - assert_equal false, @request.session_options - get :tell - assert_instance_of Hash, @request.session_options - assert_equal false, @request.session_options[:disabled] - end - - def test_session_off_conditionally - @controller = TestController.new - get :show - assert_equal false, @request.session_options - get :tell - assert_instance_of Hash, @request.session_options - assert @request.session_options[:session_secure] - end - - def test_controller_specialization_overrides_settings - @controller = SpecializedController.new - get :something - assert_instance_of Hash, @request.session_options - get :another - assert_equal false, @request.session_options - end - - def test_session_off_with_if - @controller = TestController.new - get :conditional - assert_instance_of Hash, @request.session_options - get :conditional, :ws => "ws" - assert_equal false, @request.session_options - end - - def test_session_store_setting - ActionController::Base.session_store = :drb_store - assert_equal CGI::Session::DRbStore, ActionController::Base.session_store - - if Object.const_defined?(:ActiveRecord) - ActionController::Base.session_store = :active_record_store - assert_equal CGI::Session::ActiveRecordStore, ActionController::Base.session_store - end - end - - def test_process_cleanup_with_session_management_support - @controller = AssociationCachingTestController.new - get :show - assert_equal "has cached associations", @response.body - get :tell - assert_equal "does not have cached associations", @response.body - end - - def test_session_is_enabled - @controller = TestController.new - get :show - assert_nothing_raised do - assert_equal false, @controller.session_enabled? - end - - get :tell - assert @controller.session_enabled? - end -end diff --git a/actionpack/test/controller/webservice_test.rb b/actionpack/test/controller/webservice_test.rb index 4c44ea4205..e89d6bb960 100644 --- a/actionpack/test/controller/webservice_test.rb +++ b/actionpack/test/controller/webservice_test.rb @@ -2,8 +2,6 @@ require 'abstract_unit' class WebServiceTest < ActionController::IntegrationTest class TestController < ActionController::Base - session :off - def assign_parameters if params[:full] render :text => dump_params_keys |