bostame/workdock-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d228723f9153fffee0e5aef8c612278a8cc0cef
workdock-platform/backend/workflows/tests/test_security_hardening.py
Md Bayazid Bostame 8d228723f9 snapshot: preserve session hardening and account surface
2026-03-27 01:11:29 +01:00

97 lines
4.2 KiB
Python
Raw Blame History

from django.contrib.auth import get_user_model
from django.test import Client, TestCase, override_settings
from workflows.checks import security_settings_check
@override_settings(DEBUG=True)
class RateLimitMiddlewareTests(TestCase):
@override_settings(RATE_LIMIT_LOGIN_LIMIT=2, RATE_LIMIT_LOGIN_WINDOW=60)
def test_login_is_rate_limited(self):
client = Client(REMOTE_ADDR='10.10.10.10')
for _ in range(2):
response = client.post('/accounts/login/', {'username': 'x', 'password': 'y'}, HTTP_HOST='localhost')
self.assertNotEqual(response.status_code, 429)
response = client.post('/accounts/login/', {'username': 'x', 'password': 'y'}, HTTP_HOST='localhost')
self.assertEqual(response.status_code, 429)
self.assertIn('Retry-After', response)
@override_settings(RATE_LIMIT_PASSWORD_RESET_LIMIT=1, RATE_LIMIT_PASSWORD_RESET_WINDOW=60)
def test_password_reset_is_rate_limited(self):
client = Client(REMOTE_ADDR='10.10.10.20')
response = client.post('/accounts/password_reset/', {'email': 'nobody@example.com'}, HTTP_HOST='localhost')
self.assertNotEqual(response.status_code, 429)
response = client.post('/accounts/password_reset/', {'email': 'nobody@example.com'}, HTTP_HOST='localhost')
self.assertEqual(response.status_code, 429)
@override_settings(RATE_LIMIT_ADMIN_ACTION_LIMIT=1, RATE_LIMIT_ADMIN_ACTION_WINDOW=60)
def test_sensitive_admin_posts_are_rate_limited(self):
client = Client(REMOTE_ADDR='10.10.10.30')
response = client.post('/admin-tools/branding/save/', {'portal_title': 'A'}, HTTP_HOST='localhost')
self.assertNotEqual(response.status_code, 429)
response = client.post('/admin-tools/branding/save/', {'portal_title': 'B'}, HTTP_HOST='localhost')
self.assertEqual(response.status_code, 429)
@override_settings(RATE_LIMIT_LOGIN_LIMIT=1, RATE_LIMIT_LOGIN_WINDOW=60)
def test_get_requests_are_not_rate_limited(self):
client = Client(REMOTE_ADDR='10.10.10.40')
first = client.get('/accounts/login/', HTTP_HOST='localhost')
second = client.get('/accounts/login/', HTTP_HOST='localhost')
self.assertEqual(first.status_code, 200)
self.assertEqual(second.status_code, 200)
class SecurityChecksTests(TestCase):
@override_settings(
DEBUG=False,
SECRET_KEY='unsafe-dev-key',
ALLOWED_HOSTS=[],
SESSION_COOKIE_SECURE=False,
CSRF_COOKIE_SECURE=False,
SECURE_SSL_REDIRECT=False,
RUN_SECURITY_CHECKS_DURING_TESTS=True,
)
def test_security_checks_report_production_issues(self):
issues = security_settings_check(None)
ids = {issue.id for issue in issues}
self.assertIn('workdock.E001', ids)
self.assertIn('workdock.E002', ids)
self.assertIn('workdock.E003', ids)
self.assertIn('workdock.E004', ids)
self.assertIn('workdock.W001', ids)
@override_settings(DEBUG=True)
class AuthSessionHardeningTests(TestCase):
def setUp(self):
self.user = get_user_model().objects.create_user(username='security-user', password='secret-12345')
@override_settings(SESSION_IDLE_TIMEOUT_SECONDS=60)
def test_idle_session_forces_relogin(self):
client = Client(REMOTE_ADDR='10.10.10.50')
client.force_login(self.user)
session = client.session
session['last_activity_ts'] = 1
session['auth_fresh_ts'] = 1
session.save()
response = client.get('/', HTTP_HOST='localhost')
self.assertEqual(response.status_code, 302)
self.assertIn('/accounts/login/', response['Location'])
@override_settings(SENSITIVE_ACTION_REAUTH_SECONDS=60)
def test_stale_sensitive_post_forces_relogin(self):
client = Client(REMOTE_ADDR='10.10.10.60')
client.force_login(self.user)
session = client.session
session['last_activity_ts'] = 9999999999
session['auth_fresh_ts'] = 1
session.save()
response = client.post('/admin-tools/branding/save/', {'portal_title': 'Blocked'}, HTTP_HOST='localhost')
self.assertEqual(response.status_code, 302)
self.assertIn('/accounts/login/', response['Location'])
Reference in New Issue View Git Blame Copy Permalink