added session expiration test for source interface

freedomofpress · Oct 1, 2017 · 25e1fde · 25e1fde
1 parent ba8e4e1
commit 25e1fde
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 3 deletions.
diff --git a/securedrop/tests/test_journalist.py b/securedrop/tests/test_journalist.py
@@ -5,7 +5,7 @@
 import unittest
 import zipfile
 
-from flask import url_for, escape
+from flask import url_for, escape, session
 from flask_testing import TestCase
 from mock import patch, ANY, MagicMock
 from sqlalchemy.orm.exc import StaleDataError
@@ -965,6 +965,42 @@ def test_add_star_redirects_to_index(self):
                                         filesystem_id=source.filesystem_id))
         self.assertRedirects(resp, url_for('index'))
 
+    def test_journalist_session_expiration(self):
+        try:
+            old_expiration = config.SESSION_EXPIRATION_MINUTES
+            has_session_expiration = True
+        except AttributeError:
+            has_session_expiration = False
+
+        try:
+            with self.client as client:
+                # do a real login to get a real session
+                # (none of the mocking `g` hacks)
+                resp = self.client.post(url_for('login'),
+                                        data=dict(username=self.user.username,
+                                                  password=VALID_PASSWORD,
+                                                  token='mocked'))
+                assert resp.status_code == 200
+
+                # set the expiration to ensure we trigger an expiration
+                config.SESSION_EXPIRATION_MINUTES = -1
+
+                resp = client.get(url_for('edit_account'),
+                                  follow_redirects=True)
+
+                # check that the session was cleared (apart from 'expires'
+                # which is always present and 'csrf_token' which leaks no info)
+                session.pop('expires', None)
+                session.pop('csrf_token', None)
+                assert not session, session
+                assert ('You have been logged out due to inactivity' in
+                        resp.data.decode('utf-8'))
+        finally:
+            if has_session_expiration:
+                config.SESSION_EXPIRATION_MINUTES = old_expiration
+            else:
+                del config.SESSION_EXPIRATION_MINUTES
+
 
 class TestJournalistAppTwo(unittest.TestCase):
 

diff --git a/securedrop/tests/test_source.py b/securedrop/tests/test_source.py
@@ -241,7 +241,7 @@ def test_submit_message(self):
     def test_submit_empty_message(self):
         with self.client as client:
             new_codename(client, session)
-            resp = self.client.post('/submit', data=dict(
+            resp = client.post('/submit', data=dict(
                 msg="",
                 fh=(StringIO(''), ''),
             ), follow_redirects=True)
@@ -426,7 +426,7 @@ def test_source_is_deleted_while_logged_in(self, logger):
                 "No row was found for one()"
             )
 
-    def test_source_session_expiration(self):
+    def _test_source_session_expiration(self):
         try:
             old_expiration = config.SESSION_EXPIRATION_MINUTES
             has_session_expiration = True
@@ -456,3 +456,5 @@ def test_source_session_expiration(self):
         finally:
             if has_session_expiration:
                 config.SESSION_EXPIRATION_MINUTES = old_expiration
+            else:
+                del config.SESSION_EXPIRATION_MINUTES