@@ -523,6 +523,40 @@ def test_removes_wls_response_from_URL_401(self):
523523 r = client .get ("/decorated" )
524524 assert r .status_code == 401
525525
526+ # Sadly, the real world raven still uses version 1 for negative responses
527+ def test_handles_v1_removing_query_parameters (self ):
528+ rig = TestRig ()
529+
530+ with rig as (client , wls , views ):
531+ r = client .get ("/decorated?special" )
532+ assert r .status_code == 303
533+ url , query = r .headers ["location" ].split ("?" )
534+
535+ with rig as (client , wls , views ):
536+ u = "http://localhost/decorated?special"
537+ status = ucam_webauth .STATUS_CANCELLED
538+ wls .expect ({"url" : u }, make_response (ver = 1 , status = status , url = u ))
539+
540+ r = client .get (url , query_string = query )
541+ assert r .status_code == 302
542+ url , query = r .headers ["location" ].split ("?" )
543+ assert url == "http://localhost/decorated"
544+
545+ # with a v1 response, the WLS actually deletes other query parameters
546+ assert query .startswith ("special&WLS-Response" )
547+ query = query [len ("special&" ):]
548+
549+ with rig as (client , wls , views ):
550+ r = client .get ("/decorated" , query_string = query )
551+ assert r .status_code == 303
552+ # it should restore the query parameter:
553+ assert r .headers ["location" ] == "http://localhost/decorated?special"
554+
555+ with rig as (client , wls , views ):
556+ # and finally give us a 401
557+ r = client .get ("/decorated?special" )
558+ assert r .status_code == 401
559+
526560 def test_require_default (self ):
527561 self .check_auth (TestRig (), principal = "something" ,
528562 ptags = set (["current" ]))
@@ -632,10 +666,22 @@ def test_issue_bounds(self):
632666
633667 def test_checks_url (self ):
634668 rig = TestRig ()
669+ # Modify response.url: it should cause a mis-match
635670 self .check_auth_abort (rig , 400 , url = "http://localhost/other" )
636671 self .check_auth_abort (rig , 400 , url = "http://other/decorated" )
637672 self .check_auth_abort (rig , 400 , url = "http://localhost/decorated?test" )
638673
674+ rig = TestRig ()
675+
676+ with rig as (client , wls , views ):
677+ # keep the response url as before, but modify the request url so
678+ # that they do not match
679+ url = "http://localhost/decorated?special"
680+ wls .expect ({"url" : url }, make_response (principal = "djr61" ))
681+
682+ response = client .get ("/decorated?special" , follow_redirects = True )
683+ assert response .status_code == 400
684+
639685 def test_doesnt_nuke_session (self ):
640686 rig = TestRig ()
641687
@@ -952,3 +998,9 @@ class R(flask.Request):
952998
953999 assert_raises (RuntimeError ,
9541000 client .get , "/decorated" , follow_redirects = True )
1001+
1002+ # Check that the v1 branch doesn't break anything.
1003+ # I'm tempted to say that a ver=1 successful response should be rejected, but
1004+ # I'm not sure.
1005+ def test_auth_v1 (self ):
1006+ self .check_auth (TestRig (), ver = 1 )
0 commit comments