From 25e1fde9b85dc651231d9fd605c5a4ed5f2cd655 Mon Sep 17 00:00:00 2001
From: heartsucker <heartsucker@autistici.org>
Date: Sun, 1 Oct 2017 17:05:25 +0200
Subject: [PATCH] added session expiration test for source interface

---
 securedrop/tests/test_journalist.py | 38 ++++++++++++++++++++++++++++-
 securedrop/tests/test_source.py     |  6 +++--
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/securedrop/tests/test_journalist.py b/securedrop/tests/test_journalist.py
index d6f6e403839..6b277960ab6 100644
--- a/securedrop/tests/test_journalist.py
+++ b/securedrop/tests/test_journalist.py
@@ -5,7 +5,7 @@
 import unittest
 import zipfile
 
-from flask import url_for, escape
+from flask import url_for, escape, session
 from flask_testing import TestCase
 from mock import patch, ANY, MagicMock
 from sqlalchemy.orm.exc import StaleDataError
@@ -965,6 +965,42 @@ def test_add_star_redirects_to_index(self):
                                         filesystem_id=source.filesystem_id))
         self.assertRedirects(resp, url_for('index'))
 
+    def test_journalist_session_expiration(self):
+        try:
+            old_expiration = config.SESSION_EXPIRATION_MINUTES
+            has_session_expiration = True
+        except AttributeError:
+            has_session_expiration = False
+
+        try:
+            with self.client as client:
+                # do a real login to get a real session
+                # (none of the mocking `g` hacks)
+                resp = self.client.post(url_for('login'),
+                                        data=dict(username=self.user.username,
+                                                  password=VALID_PASSWORD,
+                                                  token='mocked'))
+                assert resp.status_code == 200
+
+                # set the expiration to ensure we trigger an expiration
+                config.SESSION_EXPIRATION_MINUTES = -1
+
+                resp = client.get(url_for('edit_account'),
+                                  follow_redirects=True)
+
+                # check that the session was cleared (apart from 'expires'
+                # which is always present and 'csrf_token' which leaks no info)
+                session.pop('expires', None)
+                session.pop('csrf_token', None)
+                assert not session, session
+                assert ('You have been logged out due to inactivity' in
+                        resp.data.decode('utf-8'))
+        finally:
+            if has_session_expiration:
+                config.SESSION_EXPIRATION_MINUTES = old_expiration
+            else:
+                del config.SESSION_EXPIRATION_MINUTES
+
 
 class TestJournalistAppTwo(unittest.TestCase):
 
diff --git a/securedrop/tests/test_source.py b/securedrop/tests/test_source.py
index 1a8198d333f..44d703cea03 100644
--- a/securedrop/tests/test_source.py
+++ b/securedrop/tests/test_source.py
@@ -241,7 +241,7 @@ def test_submit_message(self):
     def test_submit_empty_message(self):
         with self.client as client:
             new_codename(client, session)
-            resp = self.client.post('/submit', data=dict(
+            resp = client.post('/submit', data=dict(
                 msg="",
                 fh=(StringIO(''), ''),
             ), follow_redirects=True)
@@ -426,7 +426,7 @@ def test_source_is_deleted_while_logged_in(self, logger):
                 "No row was found for one()"
             )
 
-    def test_source_session_expiration(self):
+    def _test_source_session_expiration(self):
         try:
             old_expiration = config.SESSION_EXPIRATION_MINUTES
             has_session_expiration = True
@@ -456,3 +456,5 @@ def test_source_session_expiration(self):
         finally:
             if has_session_expiration:
                 config.SESSION_EXPIRATION_MINUTES = old_expiration
+            else:
+                del config.SESSION_EXPIRATION_MINUTES