Fixed #31789 -- Added a new headers interface to HttpResponse.

This commit is contained in:
Tom Carrick 2020-07-14 13:32:24 +02:00 committed by Mariusz Felisiak
parent 71ae1ab012
commit bcc2befd0e
47 changed files with 385 additions and 256 deletions

View file

@ -17,7 +17,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
response = HttpResponse(*args, **kwargs)
if headers:
for k, v in headers.items():
response[k] = v
response.headers[k] = v
return response
return get_response
@ -47,7 +47,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
"Strict-Transport-Security: max-age=3600" to the response.
"""
self.assertEqual(
self.process_response(secure=True)["Strict-Transport-Security"],
self.process_response(secure=True).headers['Strict-Transport-Security'],
'max-age=3600',
)
@ -60,7 +60,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
response = self.process_response(
secure=True,
headers={"Strict-Transport-Security": "max-age=7200"})
self.assertEqual(response["Strict-Transport-Security"], "max-age=7200")
self.assertEqual(response.headers["Strict-Transport-Security"], "max-age=7200")
@override_settings(SECURE_HSTS_SECONDS=3600)
def test_sts_only_if_secure(self):
@ -68,7 +68,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
The "Strict-Transport-Security" header is not added to responses going
over an insecure connection.
"""
self.assertNotIn("Strict-Transport-Security", self.process_response(secure=False))
self.assertNotIn(
'Strict-Transport-Security',
self.process_response(secure=False).headers,
)
@override_settings(SECURE_HSTS_SECONDS=0)
def test_sts_off(self):
@ -76,7 +79,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
With SECURE_HSTS_SECONDS=0, the middleware does not add a
"Strict-Transport-Security" header to the response.
"""
self.assertNotIn("Strict-Transport-Security", self.process_response(secure=True))
self.assertNotIn(
'Strict-Transport-Security',
self.process_response(secure=True).headers,
)
@override_settings(SECURE_HSTS_SECONDS=600, SECURE_HSTS_INCLUDE_SUBDOMAINS=True)
def test_sts_include_subdomains(self):
@ -86,7 +92,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
"includeSubDomains" directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(response["Strict-Transport-Security"], "max-age=600; includeSubDomains")
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=600; includeSubDomains',
)
@override_settings(SECURE_HSTS_SECONDS=600, SECURE_HSTS_INCLUDE_SUBDOMAINS=False)
def test_sts_no_include_subdomains(self):
@ -96,7 +105,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
the "includeSubDomains" directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(response["Strict-Transport-Security"], "max-age=600")
self.assertEqual(response.headers["Strict-Transport-Security"], "max-age=600")
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_PRELOAD=True)
def test_sts_preload(self):
@ -106,7 +115,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(response["Strict-Transport-Security"], "max-age=10886400; preload")
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=10886400; preload',
)
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_INCLUDE_SUBDOMAINS=True, SECURE_HSTS_PRELOAD=True)
def test_sts_subdomains_and_preload(self):
@ -117,7 +129,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(response["Strict-Transport-Security"], "max-age=10886400; includeSubDomains; preload")
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=10886400; includeSubDomains; preload',
)
@override_settings(SECURE_HSTS_SECONDS=10886400, SECURE_HSTS_PRELOAD=False)
def test_sts_no_preload(self):
@ -127,7 +142,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
the "preload" directive to the response.
"""
response = self.process_response(secure=True)
self.assertEqual(response["Strict-Transport-Security"], "max-age=10886400")
self.assertEqual(
response.headers['Strict-Transport-Security'],
'max-age=10886400',
)
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
def test_content_type_on(self):
@ -135,7 +153,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
With SECURE_CONTENT_TYPE_NOSNIFF set to True, the middleware adds
"X-Content-Type-Options: nosniff" header to the response.
"""
self.assertEqual(self.process_response()["X-Content-Type-Options"], "nosniff")
self.assertEqual(
self.process_response().headers['X-Content-Type-Options'],
'nosniff',
)
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=True)
def test_content_type_already_present(self):
@ -144,7 +165,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
already present in the response.
"""
response = self.process_response(secure=True, headers={"X-Content-Type-Options": "foo"})
self.assertEqual(response["X-Content-Type-Options"], "foo")
self.assertEqual(response.headers["X-Content-Type-Options"], "foo")
@override_settings(SECURE_CONTENT_TYPE_NOSNIFF=False)
def test_content_type_off(self):
@ -152,7 +173,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
With SECURE_CONTENT_TYPE_NOSNIFF False, the middleware does not add an
"X-Content-Type-Options" header to the response.
"""
self.assertNotIn("X-Content-Type-Options", self.process_response())
self.assertNotIn('X-Content-Type-Options', self.process_response().headers)
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
def test_xss_filter_on(self):
@ -160,7 +181,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
With SECURE_BROWSER_XSS_FILTER set to True, the middleware adds
"s-xss-protection: 1; mode=block" header to the response.
"""
self.assertEqual(self.process_response()["X-XSS-Protection"], "1; mode=block")
self.assertEqual(
self.process_response().headers['X-XSS-Protection'],
'1; mode=block',
)
@override_settings(SECURE_BROWSER_XSS_FILTER=True)
def test_xss_filter_already_present(self):
@ -169,7 +193,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
already present in the response.
"""
response = self.process_response(secure=True, headers={"X-XSS-Protection": "foo"})
self.assertEqual(response["X-XSS-Protection"], "foo")
self.assertEqual(response.headers["X-XSS-Protection"], "foo")
@override_settings(SECURE_BROWSER_XSS_FILTER=False)
def test_xss_filter_off(self):
@ -177,7 +201,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
With SECURE_BROWSER_XSS_FILTER set to False, the middleware does not
add an "X-XSS-Protection" header to the response.
"""
self.assertNotIn("X-XSS-Protection", self.process_response())
self.assertNotIn('X-XSS-Protection', self.process_response().headers)
@override_settings(SECURE_SSL_REDIRECT=True)
def test_ssl_redirect_on(self):
@ -229,7 +253,7 @@ class SecurityMiddlewareTest(SimpleTestCase):
With SECURE_REFERRER_POLICY set to None, the middleware does not add a
"Referrer-Policy" header to the response.
"""
self.assertNotIn('Referrer-Policy', self.process_response())
self.assertNotIn('Referrer-Policy', self.process_response().headers)
def test_referrer_policy_on(self):
"""
@ -245,7 +269,10 @@ class SecurityMiddlewareTest(SimpleTestCase):
)
for value, expected in tests:
with self.subTest(value=value), override_settings(SECURE_REFERRER_POLICY=value):
self.assertEqual(self.process_response()['Referrer-Policy'], expected)
self.assertEqual(
self.process_response().headers['Referrer-Policy'],
expected,
)
@override_settings(SECURE_REFERRER_POLICY='strict-origin')
def test_referrer_policy_already_present(self):
@ -254,4 +281,4 @@ class SecurityMiddlewareTest(SimpleTestCase):
present in the response.
"""
response = self.process_response(headers={'Referrer-Policy': 'unsafe-url'})
self.assertEqual(response['Referrer-Policy'], 'unsafe-url')
self.assertEqual(response.headers['Referrer-Policy'], 'unsafe-url')

View file

@ -292,7 +292,7 @@ class CommonMiddlewareTest(SimpleTestCase):
return response
response = CommonMiddleware(get_response)(self.rf.get('/'))
self.assertEqual(int(response['Content-Length']), len(response.content))
self.assertEqual(int(response.headers['Content-Length']), len(response.content))
def test_content_length_header_not_added_for_streaming_response(self):
def get_response(req):
@ -308,11 +308,11 @@ class CommonMiddlewareTest(SimpleTestCase):
def get_response(req):
response = HttpResponse()
response['Content-Length'] = bad_content_length
response.headers['Content-Length'] = bad_content_length
return response
response = CommonMiddleware(get_response)(self.rf.get('/'))
self.assertEqual(int(response['Content-Length']), bad_content_length)
self.assertEqual(int(response.headers['Content-Length']), bad_content_length)
# Other tests
@ -607,7 +607,7 @@ class ConditionalGetMiddlewareTest(SimpleTestCase):
self.assertEqual(new_response.status_code, 304)
base_response = get_response(self.req)
for header in ('Cache-Control', 'Content-Location', 'Date', 'ETag', 'Expires', 'Last-Modified', 'Vary'):
self.assertEqual(new_response[header], base_response[header])
self.assertEqual(new_response.headers[header], base_response.headers[header])
self.assertEqual(new_response.cookies, base_response.cookies)
self.assertNotIn('Content-Language', new_response)
@ -622,7 +622,7 @@ class ConditionalGetMiddlewareTest(SimpleTestCase):
return HttpResponse(status=200)
response = ConditionalGetMiddleware(self.get_response)(self.req)
etag = response['ETag']
etag = response.headers['ETag']
put_request = self.request_factory.put('/', HTTP_IF_MATCH=etag)
conditional_get_response = ConditionalGetMiddleware(get_200_response)(put_request)
self.assertEqual(conditional_get_response.status_code, 200) # should never be a 412
@ -653,11 +653,11 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
"""
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
with override_settings(X_FRAME_OPTIONS='sameorigin'):
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
def test_deny(self):
"""
@ -666,11 +666,11 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
"""
with override_settings(X_FRAME_OPTIONS='DENY'):
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'DENY')
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
with override_settings(X_FRAME_OPTIONS='deny'):
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'DENY')
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
def test_defaults_sameorigin(self):
"""
@ -680,7 +680,7 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
with override_settings(X_FRAME_OPTIONS=None):
del settings.X_FRAME_OPTIONS # restored by override_settings
r = XFrameOptionsMiddleware(get_response_empty)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'DENY')
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
def test_dont_set_if_set(self):
"""
@ -689,21 +689,21 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
"""
def same_origin_response(request):
response = HttpResponse()
response['X-Frame-Options'] = 'SAMEORIGIN'
response.headers['X-Frame-Options'] = 'SAMEORIGIN'
return response
def deny_response(request):
response = HttpResponse()
response['X-Frame-Options'] = 'DENY'
response.headers['X-Frame-Options'] = 'DENY'
return response
with override_settings(X_FRAME_OPTIONS='DENY'):
r = XFrameOptionsMiddleware(same_origin_response)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
r = XFrameOptionsMiddleware(deny_response)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'DENY')
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
def test_response_exempt(self):
"""
@ -722,10 +722,10 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
r = XFrameOptionsMiddleware(xframe_not_exempt_response)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
r = XFrameOptionsMiddleware(xframe_exempt_response)(HttpRequest())
self.assertIsNone(r.get('X-Frame-Options'))
self.assertIsNone(r.headers.get('X-Frame-Options'))
def test_is_extendable(self):
"""
@ -749,16 +749,16 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
with override_settings(X_FRAME_OPTIONS='DENY'):
r = OtherXFrameOptionsMiddleware(same_origin_response)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
request = HttpRequest()
request.sameorigin = True
r = OtherXFrameOptionsMiddleware(get_response_empty)(request)
self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
self.assertEqual(r.headers['X-Frame-Options'], 'SAMEORIGIN')
with override_settings(X_FRAME_OPTIONS='SAMEORIGIN'):
r = OtherXFrameOptionsMiddleware(get_response_empty)(HttpRequest())
self.assertEqual(r['X-Frame-Options'], 'DENY')
self.assertEqual(r.headers['X-Frame-Options'], 'DENY')
class GZipMiddlewareTest(SimpleTestCase):
@ -916,12 +916,12 @@ class ETagGZipMiddlewareTest(SimpleTestCase):
"""
def get_response(req):
response = HttpResponse(self.compressible_string)
response['ETag'] = '"eggs"'
response.headers['ETag'] = '"eggs"'
return response
request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate')
gzip_response = GZipMiddleware(get_response)(request)
self.assertEqual(gzip_response['ETag'], 'W/"eggs"')
self.assertEqual(gzip_response.headers['ETag'], 'W/"eggs"')
def test_weak_etag_not_modified(self):
"""
@ -929,12 +929,12 @@ class ETagGZipMiddlewareTest(SimpleTestCase):
"""
def get_response(req):
response = HttpResponse(self.compressible_string)
response['ETag'] = 'W/"eggs"'
response.headers['ETag'] = 'W/"eggs"'
return response
request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate')
gzip_response = GZipMiddleware(get_response)(request)
self.assertEqual(gzip_response['ETag'], 'W/"eggs"')
self.assertEqual(gzip_response.headers['ETag'], 'W/"eggs"')
def test_etag_match(self):
"""
@ -949,7 +949,7 @@ class ETagGZipMiddlewareTest(SimpleTestCase):
request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate')
response = GZipMiddleware(get_cond_response)(request)
gzip_etag = response['ETag']
gzip_etag = response.headers['ETag']
next_request = self.rf.get('/', HTTP_ACCEPT_ENCODING='gzip, deflate', HTTP_IF_NONE_MATCH=gzip_etag)
next_response = ConditionalGetMiddleware(get_response)(next_request)
self.assertEqual(next_response.status_code, 304)