Refs #32800 -- Added test_masked_secret_accepted_and_not_replaced().

This improves test_bare_secret_accepted_and_replaced() by adding a stronger assertion. It also adds a parallel test for the non-bare (masked) case.
author: Chris Jerdonek <chris.jerdonek@gmail.com> 2021-08-02 17:08:16 -0400
committer: Carlton Gibson <carlton@noumenal.es> 2021-08-17 12:23:54 +0200
commit: be1fd6645d4219b5c74152776e74d9e636b08554 (patch)
tree: 8dcee14a133a9ae46534025ec0c1cc2047eadd09 /tests/csrf_tests
parent: 7aba820aca98a3db77d405b616c9a2d39562f076 (diff)
download: django-be1fd6645d4219b5c74152776e74d9e636b08554.tar.gz
1 files changed, 17 insertions, 2 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 10171adb2a..0ae1eca516 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -1177,9 +1177,23 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
         self.assertTrue(csrf_cookie, msg='No CSRF cookie was sent.')
         self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH)
 
+    def test_masked_secret_accepted_and_not_replaced(self):
+        """
+        The csrf cookie is left unchanged if originally masked.
+        """
+        req = self._get_POST_request_with_token(cookie=MASKED_TEST_SECRET1)
+        mw = CsrfViewMiddleware(token_view)
+        mw.process_request(req)
+        resp = mw.process_view(req, token_view, (), {})
+        self.assertIsNone(resp)
+        resp = mw(req)
+        csrf_cookie = self._read_csrf_cookie(req, resp)
+        self.assertEqual(csrf_cookie, MASKED_TEST_SECRET1)
+        self._check_token_present(resp, csrf_cookie)
+
     def test_bare_secret_accepted_and_replaced(self):
         """
-        The csrf token is reset from a bare secret.
+        The csrf cookie is reset (masked) if originally not masked.
         """
         req = self._get_POST_request_with_token(cookie=TEST_SECRET)
         mw = CsrfViewMiddleware(token_view)
@@ -1188,7 +1202,8 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
         self.assertIsNone(resp)
         resp = mw(req)
         csrf_cookie = self._read_csrf_cookie(req, resp)
-        self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH)
+        # This also checks that csrf_cookie now has length CSRF_TOKEN_LENGTH.
+        self.assertMaskedSecretCorrect(csrf_cookie, TEST_SECRET)
         self._check_token_present(resp, csrf_cookie)
 
     @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)
author	Chris Jerdonek <chris.jerdonek@gmail.com>	2021-08-02 17:08:16 -0400
committer	Carlton Gibson <carlton@noumenal.es>	2021-08-17 12:23:54 +0200
commit	be1fd6645d4219b5c74152776e74d9e636b08554 (patch)
tree	8dcee14a133a9ae46534025ec0c1cc2047eadd09 /tests/csrf_tests
parent	7aba820aca98a3db77d405b616c9a2d39562f076 (diff)
download	django-be1fd6645d4219b5c74152776e74d9e636b08554.tar.gz