summaryrefslogtreecommitdiff
path: root/test/test_api.py
diff options
context:
space:
mode:
authorjfriedli2020-04-26 09:50:14 -0700
committerjfriedli2020-04-26 09:50:14 -0700
commitc301e472bd7fd79d675c5df089db0b16fd1e2cfe (patch)
treec3332e0f974edc09881b5534c35becc5b9fffa3b /test/test_api.py
parente1bac8b6a7fd857f38b7bcb678398c82baaa8fd5 (diff)
Resolve "Use a HMAC instead of a hash"
Diffstat (limited to 'test/test_api.py')
-rw-r--r--test/test_api.py74
1 files changed, 41 insertions, 33 deletions
diff --git a/test/test_api.py b/test/test_api.py
index 36aae9d..4925d9e 100644
--- a/test/test_api.py
+++ b/test/test_api.py
@@ -30,33 +30,26 @@ class Mat2APITestCase(unittest.TestCase):
30 del os.environ['MAT2_ALLOW_ORIGIN_WHITELIST'] 30 del os.environ['MAT2_ALLOW_ORIGIN_WHITELIST']
31 31
32 def test_api_upload_valid(self): 32 def test_api_upload_valid(self):
33 request = self.app.post('/api/upload', 33 request = self.app.post(
34 data='{"file_name": "test_name.jpg", ' 34 '/api/upload',
35 '"file": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAf' 35 data='{"file_name": "test_name.jpg", '
36 'FcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg=="}', 36 '"file": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAf'
37 headers={'content-type': 'application/json'} 37 'FcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg=="}',
38 ) 38 headers={'content-type': 'application/json'}
39 )
39 self.assertEqual(request.headers['Content-Type'], 'application/json') 40 self.assertEqual(request.headers['Content-Type'], 'application/json')
40 self.assertEqual(request.headers['Access-Control-Allow-Origin'], 'origin1.gnu') 41 self.assertEqual(request.headers['Access-Control-Allow-Origin'], 'origin1.gnu')
41 self.assertEqual(request.status_code, 200) 42 self.assertEqual(request.status_code, 200)
42 43
43 data = request.get_json() 44 data = request.get_json()
44 expected = { 45 self.assertEqual(data['output_filename'], 'test_name.cleaned.jpg')
45 'output_filename': 'test_name.cleaned.jpg', 46 self.assertEqual(data['output_filename'], 'test_name.cleaned.jpg')
46 'mime': 'image/jpeg', 47 self.assertEqual(data['mime'], 'image/jpeg')
47 'key': '81a541f9ebc0233d419d25ed39908b16f82be26a783f32d56c381559e84e6161', 48 self.assertEqual(len(data['secret']), 64)
48 'meta': { 49 self.assertEqual(len(data['key']), 64)
49 'BitDepth': 8, 50 self.assertNotEqual(data['key'], data['secret'])
50 'ColorType': 'RGB with Alpha', 51 self.assertTrue('http://localhost/api/download/' in data['download_link'])
51 'Compression': 'Deflate/Inflate', 52 self.assertTrue('test_name.cleaned.jpg' in data['download_link'])
52 'Filter': 'Adaptive',
53 'Interlace': 'Noninterlaced'
54 },
55 'meta_after': {},
56 'download_link': 'http://localhost/api/download/'
57 '81a541f9ebc0233d419d25ed39908b16f82be26a783f32d56c381559e84e6161/test_name.cleaned.jpg'
58 }
59 self.assertEqual(data, expected)
60 53
61 def test_api_upload_missing_params(self): 54 def test_api_upload_missing_params(self):
62 request = self.app.post('/api/upload', 55 request = self.app.post('/api/upload',
@@ -141,7 +134,6 @@ class Mat2APITestCase(unittest.TestCase):
141 error = request.get_json()['message'] 134 error = request.get_json()['message']
142 self.assertEqual(error, 'Unable to clean application/zip') 135 self.assertEqual(error, 'Unable to clean application/zip')
143 136
144
145 def test_api_download(self): 137 def test_api_download(self):
146 request = self.app.post('/api/upload', 138 request = self.app.post('/api/upload',
147 data='{"file_name": "test_name.jpg", ' 139 data='{"file_name": "test_name.jpg", '
@@ -152,25 +144,36 @@ class Mat2APITestCase(unittest.TestCase):
152 self.assertEqual(request.status_code, 200) 144 self.assertEqual(request.status_code, 200)
153 data = request.get_json() 145 data = request.get_json()
154 146
155 request = self.app.get('http://localhost/api/download/' 147 request = self.app.get('http://localhost/api/download/161/'
156 '81a541f9ebc0233d419d25ed39908b16f82be26a783f32d56c381559e84e6161/test name.cleaned.jpg') 148 '81a541f9ebc0233d419d25ed39908b16f82be26a783f32d56c381559e84e6161/test name.cleaned.jpg')
157 self.assertEqual(request.status_code, 400) 149 self.assertEqual(request.status_code, 400)
158 error = request.get_json()['message'] 150 error = request.get_json()['message']
159 self.assertEqual(error, 'Insecure filename') 151 self.assertEqual(error, 'Insecure filename')
160 152
161 request = self.app.get('http://localhost/api/download/' 153 request = self.app.get(data['download_link'].replace('test_name', 'wrong_test'))
162 '81a541f9ebc0233d419d25ed39908b16f82be26a783f32d56c381559e84e6161/'
163 'wrong_file_name.jpg')
164 self.assertEqual(request.status_code, 404) 154 self.assertEqual(request.status_code, 404)
165 error = request.get_json()['message'] 155 error = request.get_json()['message']
166 self.assertEqual(error, 'File not found') 156 self.assertEqual(error, 'File not found')
167 157
168 request = self.app.get('http://localhost/api/download/81a541f9e/test_name.cleaned.jpg') 158 uri_parts = data['download_link'].split("/")
159 self.assertEqual(len(uri_parts[5]), len(uri_parts[6]))
160 self.assertEqual(64, len(uri_parts[5]))
161
162 key_uri_parts = uri_parts
163 key_uri_parts[5] = '70623619c'
164 request = self.app.get("/".join(key_uri_parts))
169 self.assertEqual(request.status_code, 400) 165 self.assertEqual(request.status_code, 400)
170 166
171 error = request.get_json()['message'] 167 error = request.get_json()['message']
172 self.assertEqual(error, 'The file hash does not match') 168 self.assertEqual(error, 'The file hash does not match')
173 169
170 key_uri_parts = uri_parts
171 key_uri_parts[6] = '70623619c'
172 request = self.app.get("/".join(key_uri_parts))
173 self.assertEqual(request.status_code, 400)
174 error = request.get_json()['message']
175 self.assertEqual(error, 'The file hash does not match')
176
174 request = self.app.head(data['download_link']) 177 request = self.app.head(data['download_link'])
175 self.assertEqual(request.status_code, 200) 178 self.assertEqual(request.status_code, 200)
176 self.assertEqual(request.headers['Content-Length'], '633') 179 self.assertEqual(request.headers['Content-Length'], '633')
@@ -205,11 +208,13 @@ class Mat2APITestCase(unittest.TestCase):
205 u'download_list': [ 208 u'download_list': [
206 { 209 {
207 u'file_name': upload_one['output_filename'], 210 u'file_name': upload_one['output_filename'],
208 u'key': upload_one['key'] 211 u'key': upload_one['key'],
212 u'secret': upload_one['secret']
209 }, 213 },
210 { 214 {
211 u'file_name': upload_two['output_filename'], 215 u'file_name': upload_two['output_filename'],
212 u'key': upload_two['key'] 216 u'key': upload_two['key'],
217 u'secret': upload_two['secret']
213 } 218 }
214 ] 219 ]
215 } 220 }
@@ -261,7 +266,8 @@ class Mat2APITestCase(unittest.TestCase):
261 u'download_list': [ 266 u'download_list': [
262 { 267 {
263 u'file_name': 'invalid_file_name', 268 u'file_name': 'invalid_file_name',
264 u'key': 'invalid_key' 269 u'key': 'invalid_key',
270 u'secret': 'invalid_secret'
265 } 271 }
266 ] 272 ]
267 } 273 }
@@ -348,11 +354,13 @@ class Mat2APITestCase(unittest.TestCase):
348 u'download_list': [ 354 u'download_list': [
349 { 355 {
350 u'file_name': 'invalid_file_name1', 356 u'file_name': 'invalid_file_name1',
351 u'key': 'invalid_key1' 357 u'key': 'invalid_key1',
358 u'secret': 'invalid_secret1'
352 }, 359 },
353 { 360 {
354 u'file_name': 'invalid_file_name2', 361 u'file_name': 'invalid_file_name2',
355 u'key': 'invalid_key2' 362 u'key': 'invalid_key2',
363 u'secret': 'invalid_secret2'
356 } 364 }
357 ] 365 ]
358 } 366 }