1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
require 'abstract_unit'
require 'stringio'
class CookieStoreTest < ActionController::IntegrationTest
SessionKey = '_myapp_session'
SessionSecret = 'b3c631c314c0bbca50c1b2843150fe33'
DispatcherApp = ActionController::Dispatcher.new
CookieStoreApp = ActionController::Session::CookieStore.new(DispatcherApp,
:key => SessionKey, :secret => SessionSecret)
SignedBar = "BAh7BjoIZm9vIghiYXI%3D--" +
"fef868465920f415f2c0652d6910d3af288a0367"
class TestController < ActionController::Base
def no_session_access
head :ok
end
def set_session_value
session[:foo] = "bar"
head :ok
end
def get_session_value
render :text => "foo: #{session[:foo].inspect}"
end
def raise_data_overflow
session[:foo] = 'bye!' * 1024
head :ok
end
def rescue_action(e) raise end
end
def setup
@integration_session = open_session(CookieStoreApp)
end
def test_raises_argument_error_if_missing_session_key
assert_raise(ArgumentError, nil.inspect) {
ActionController::Session::CookieStore.new(nil,
:key => nil, :secret => SessionSecret)
}
assert_raise(ArgumentError, ''.inspect) {
ActionController::Session::CookieStore.new(nil,
:key => '', :secret => SessionSecret)
}
end
def test_raises_argument_error_if_missing_secret
assert_raise(ArgumentError, nil.inspect) {
ActionController::Session::CookieStore.new(nil,
:key => SessionKey, :secret => nil)
}
assert_raise(ArgumentError, ''.inspect) {
ActionController::Session::CookieStore.new(nil,
:key => SessionKey, :secret => '')
}
end
def test_raises_argument_error_if_secret_is_probably_insecure
assert_raise(ArgumentError, "password".inspect) {
ActionController::Session::CookieStore.new(nil,
:key => SessionKey, :secret => "password")
}
assert_raise(ArgumentError, "secret".inspect) {
ActionController::Session::CookieStore.new(nil,
:key => SessionKey, :secret => "secret")
}
assert_raise(ArgumentError, "12345678901234567890123456789".inspect) {
ActionController::Session::CookieStore.new(nil,
:key => SessionKey, :secret => "12345678901234567890123456789")
}
end
def test_setting_session_value
with_test_route_set do
get '/set_session_value'
assert_response :success
assert_equal ["_myapp_session=#{SignedBar}; path=/"],
headers['Set-Cookie']
end
end
def test_getting_session_value
with_test_route_set do
cookies[SessionKey] = SignedBar
get '/get_session_value'
assert_response :success
assert_equal 'foo: "bar"', response.body
end
end
def test_disregards_tampered_sessions
with_test_route_set do
cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--123456780"
get '/get_session_value'
assert_response :success
assert_equal 'foo: nil', response.body
end
end
def test_close_raises_when_data_overflows
with_test_route_set do
assert_raise(ActionController::Session::CookieStore::CookieOverflow) {
get '/raise_data_overflow'
}
end
end
def test_doesnt_write_session_cookie_if_session_is_not_accessed
with_test_route_set do
get '/no_session_access'
assert_response :success
assert_equal [], headers['Set-Cookie']
end
end
def test_doesnt_write_session_cookie_if_session_is_unchanged
with_test_route_set do
cookies[SessionKey] = "BAh7BjoIZm9vIghiYXI%3D--" +
"fef868465920f415f2c0652d6910d3af288a0367"
get '/no_session_access'
assert_response :success
assert_equal [], headers['Set-Cookie']
end
end
private
def with_test_route_set
with_routing do |set|
set.draw do |map|
map.with_options :controller => "cookie_store_test/test" do |c|
c.connect "/:action"
end
end
yield
end
end
end
|
