From fc5c1b0e901a735a68dd822608eec2f99b6c7b74 Mon Sep 17 00:00:00 2001 From: Joshua Peek Date: Sun, 19 Apr 2009 17:51:23 -0500 Subject: Session tests belong under dispatch folder --- .../test/dispatch/session/cookie_store_test.rb | 250 +++++++++++++++++++++ .../test/dispatch/session/mem_cache_store_test.rb | 127 +++++++++++ .../test/dispatch/session/test_session_test.rb | 58 +++++ 3 files changed, 435 insertions(+) create mode 100644 actionpack/test/dispatch/session/cookie_store_test.rb create mode 100644 actionpack/test/dispatch/session/mem_cache_store_test.rb create mode 100644 actionpack/test/dispatch/session/test_session_test.rb (limited to 'actionpack/test/dispatch') diff --git a/actionpack/test/dispatch/session/cookie_store_test.rb b/actionpack/test/dispatch/session/cookie_store_test.rb new file mode 100644 index 0000000000..b9bf8cf411 --- /dev/null +++ b/actionpack/test/dispatch/session/cookie_store_test.rb @@ -0,0 +1,250 @@ +require 'abstract_unit' +require 'stringio' + +class CookieStoreTest < ActionController::IntegrationTest + SessionKey = '_myapp_session' + SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33' + + DispatcherApp = ActionController::Dispatcher.new + CookieStoreApp = ActionDispatch::Session::CookieStore.new(DispatcherApp, + :key => SessionKey, :secret => SessionSecret) + + Verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1') + + SignedBar = "BAh7BjoIZm9vIghiYXI%3D--fef868465920f415f2c0652d6910d3af288a0367" + + class TestController < ActionController::Base + def no_session_access + head :ok + end + + def persistent_session_id + render :text => session[:session_id] + end + + def set_session_value + session[:foo] = "bar" + render :text => Rack::Utils.escape(Verifier.generate(session.to_hash)) + end + + def get_session_value + render :text => "foo: #{session[:foo].inspect}" + end + + def get_session_id + render :text => "foo: #{session[:foo].inspect}; id: #{request.session_options[:id]}" + end + + def call_reset_session + reset_session + head :ok + end + + def raise_data_overflow + session[:foo] = 'bye!' * 1024 + head :ok + end + + def rescue_action(e) raise end + end + + def setup + @integration_session = open_session(CookieStoreApp) + end + + def test_raises_argument_error_if_missing_session_key + assert_raise(ArgumentError, nil.inspect) { + ActionDispatch::Session::CookieStore.new(nil, + :key => nil, :secret => SessionSecret) + } + + assert_raise(ArgumentError, ''.inspect) { + ActionDispatch::Session::CookieStore.new(nil, + :key => '', :secret => SessionSecret) + } + end + + def test_raises_argument_error_if_missing_secret + assert_raise(ArgumentError, nil.inspect) { + ActionDispatch::Session::CookieStore.new(nil, + :key => SessionKey, :secret => nil) + } + + assert_raise(ArgumentError, ''.inspect) { + ActionDispatch::Session::CookieStore.new(nil, + :key => SessionKey, :secret => '') + } + end + + def test_raises_argument_error_if_secret_is_probably_insecure + assert_raise(ArgumentError, "password".inspect) { + ActionDispatch::Session::CookieStore.new(nil, + :key => SessionKey, :secret => "password") + } + + assert_raise(ArgumentError, "secret".inspect) { + ActionDispatch::Session::CookieStore.new(nil, + :key => SessionKey, :secret => "secret") + } + + assert_raise(ArgumentError, "12345678901234567890123456789".inspect) { + ActionDispatch::Session::CookieStore.new(nil, + :key => SessionKey, :secret => "12345678901234567890123456789") + } + end + + def test_setting_session_value + with_test_route_set do + get '/set_session_value' + assert_response :success + assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly", + headers['Set-Cookie'] + end + end + + def test_getting_session_value + with_test_route_set do + cookies[SessionKey] = SignedBar + get '/get_session_value' + assert_response :success + assert_equal 'foo: "bar"', response.body + end + end + + def test_getting_session_id + with_test_route_set do + cookies[SessionKey] = SignedBar + get '/persistent_session_id' + assert_response :success + assert_equal response.body.size, 32 + session_id = response.body + + get '/get_session_id' + assert_response :success + assert_equal "foo: \"bar\"; id: #{session_id}", response.body + end + end + + def test_disregards_tampered_sessions + with_test_route_set do + cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780" + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body + end + end + + def test_close_raises_when_data_overflows + with_test_route_set do + assert_raise(ActionDispatch::Session::CookieStore::CookieOverflow) { + get '/raise_data_overflow' + } + end + end + + def test_doesnt_write_session_cookie_if_session_is_not_accessed + with_test_route_set do + get '/no_session_access' + assert_response :success + assert_equal "", headers['Set-Cookie'] + end + end + + def test_doesnt_write_session_cookie_if_session_is_unchanged + with_test_route_set do + cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--" + + "fef868465920f415f2c0652d6910d3af288a0367" + get '/no_session_access' + assert_response :success + assert_equal "", headers['Set-Cookie'] + end + end + + def test_setting_session_value_after_session_reset + with_test_route_set do + get '/set_session_value' + assert_response :success + session_payload = response.body + assert_equal "_myapp_session=#{response.body}; path=/; HttpOnly", + headers['Set-Cookie'] + + get '/call_reset_session' + assert_response :success + assert_not_equal [], headers['Set-Cookie'] + assert_not_equal session_payload, cookies[SessionKey] + + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body + end + end + + def test_persistent_session_id + with_test_route_set do + cookies[SessionKey] = SignedBar + get '/persistent_session_id' + assert_response :success + assert_equal response.body.size, 32 + session_id = response.body + get '/persistent_session_id' + assert_equal session_id, response.body + reset! + get '/persistent_session_id' + assert_not_equal session_id, response.body + end + end + + def test_session_store_with_expire_after + app = ActionDispatch::Session::CookieStore.new(DispatcherApp, :key => SessionKey, :secret => SessionSecret, :expire_after => 5.hours) + @integration_session = open_session(app) + + with_test_route_set do + # First request accesses the session + time = Time.local(2008, 4, 24) + Time.stubs(:now).returns(time) + expected_expiry = (time + 5.hours).gmtime.strftime("%a, %d-%b-%Y %H:%M:%S GMT") + + cookies[SessionKey] = SignedBar + + get '/set_session_value' + assert_response :success + + cookie_body = response.body + assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly", + headers['Set-Cookie'] + + # Second request does not access the session + time = Time.local(2008, 4, 25) + Time.stubs(:now).returns(time) + expected_expiry = (time + 5.hours).gmtime.strftime("%a, %d-%b-%Y %H:%M:%S GMT") + + get '/no_session_access' + assert_response :success + + # Mystery bug that came up in 2.3 as well. What is this trying to test?! + # assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly", + # headers['Set-Cookie'] + end + end + + private + def with_test_route_set + with_routing do |set| + set.draw do |map| + map.with_options :controller => "cookie_store_test/test" do |c| + c.connect "/:action" + end + end + yield + end + end + + def unmarshal_session(cookie_string) + session = Rack::Utils.parse_query(cookie_string, ';,').inject({}) {|h,(k,v)| + h[k] = Array === v ? v.first : v + h + }[SessionKey] + verifier = ActiveSupport::MessageVerifier.new(SessionSecret, 'SHA1') + verifier.verify(session) + end +end diff --git a/actionpack/test/dispatch/session/mem_cache_store_test.rb b/actionpack/test/dispatch/session/mem_cache_store_test.rb new file mode 100644 index 0000000000..7561c93e4a --- /dev/null +++ b/actionpack/test/dispatch/session/mem_cache_store_test.rb @@ -0,0 +1,127 @@ +require 'abstract_unit' + +# You need to start a memcached server inorder to run these tests +class MemCacheStoreTest < ActionController::IntegrationTest + class TestController < ActionController::Base + def no_session_access + head :ok + end + + def set_session_value + session[:foo] = "bar" + head :ok + end + + def get_session_value + render :text => "foo: #{session[:foo].inspect}" + end + + def get_session_id + session[:foo] + render :text => "#{request.session_options[:id]}" + end + + def call_reset_session + session[:bar] + reset_session + session[:bar] = "baz" + head :ok + end + + def rescue_action(e) raise end + end + + begin + DispatcherApp = ActionController::Dispatcher.new + MemCacheStoreApp = ActionDispatch::Session::MemCacheStore.new( + DispatcherApp, :key => '_session_id') + + + def setup + @integration_session = open_session(MemCacheStoreApp) + end + + def test_setting_and_getting_session_value + with_test_route_set do + get '/set_session_value' + assert_response :success + assert cookies['_session_id'] + + get '/get_session_value' + assert_response :success + assert_equal 'foo: "bar"', response.body + end + end + + def test_getting_nil_session_value + with_test_route_set do + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body + end + end + + def test_setting_session_value_after_session_reset + with_test_route_set do + get '/set_session_value' + assert_response :success + assert cookies['_session_id'] + session_id = cookies['_session_id'] + + get '/call_reset_session' + assert_response :success + assert_not_equal [], headers['Set-Cookie'] + + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body + + get '/get_session_id' + assert_response :success + assert_not_equal session_id, response.body + end + end + + def test_getting_session_id + with_test_route_set do + get '/set_session_value' + assert_response :success + assert cookies['_session_id'] + session_id = cookies['_session_id'] + + get '/get_session_id' + assert_response :success + assert_equal session_id, response.body + end + end + + def test_prevents_session_fixation + with_test_route_set do + get '/get_session_value' + assert_response :success + assert_equal 'foo: nil', response.body + session_id = cookies['_session_id'] + + reset! + + get '/set_session_value', :_session_id => session_id + assert_response :success + assert_equal nil, cookies['_session_id'] + end + end + rescue LoadError, RuntimeError + $stderr.puts "Skipping MemCacheStoreTest tests. Start memcached and try again." + end + + private + def with_test_route_set + with_routing do |set| + set.draw do |map| + map.with_options :controller => "mem_cache_store_test/test" do |c| + c.connect "/:action" + end + end + yield + end + end +end diff --git a/actionpack/test/dispatch/session/test_session_test.rb b/actionpack/test/dispatch/session/test_session_test.rb new file mode 100644 index 0000000000..de6539e1cc --- /dev/null +++ b/actionpack/test/dispatch/session/test_session_test.rb @@ -0,0 +1,58 @@ +require 'abstract_unit' +require 'stringio' + +class ActionController::TestSessionTest < ActiveSupport::TestCase + + def test_calling_delete_without_parameters_raises_deprecation_warning_and_calls_to_clear_test_session + assert_deprecated(/use clear instead/){ ActionController::TestSession.new.delete } + end + + def test_calling_update_without_parameters_raises_deprecation_warning_and_calls_to_clear_test_session + assert_deprecated(/use replace instead/){ ActionController::TestSession.new.update } + end + + def test_calling_close_raises_deprecation_warning + assert_deprecated(/sessions should no longer be closed/){ ActionController::TestSession.new.close } + end + + def test_defaults + session = ActionController::TestSession.new + assert_equal({}, session.data) + assert_equal('', session.session_id) + end + + def test_ctor_allows_setting + session = ActionController::TestSession.new({:one => 'one', :two => 'two'}) + assert_equal('one', session[:one]) + assert_equal('two', session[:two]) + end + + def test_setting_session_item_sets_item + session = ActionController::TestSession.new + session[:key] = 'value' + assert_equal('value', session[:key]) + end + + def test_calling_delete_removes_item + session = ActionController::TestSession.new + session[:key] = 'value' + assert_equal('value', session[:key]) + session.delete(:key) + assert_nil(session[:key]) + end + + def test_calling_update_with_params_passes_to_attributes + session = ActionController::TestSession.new() + session.update('key' => 'value') + assert_equal('value', session[:key]) + end + + def test_clear_emptys_session + params = {:one => 'one', :two => 'two'} + session = ActionController::TestSession.new({:one => 'one', :two => 'two'}) + session.clear + assert_nil(session[:one]) + assert_nil(session[:two]) + end + +end \ No newline at end of file -- cgit v1.2.3