cherrypy-foundation 1.0.0a15__py3-none-any.whl → 1.0.0a16__py3-none-any.whl

cherrypy_foundation/tests/templates/test_form.html

@@ -1,9 +1,14 @@
 <!DOCTYPE html>
-<html >
+<html lang="en">
     <head>
         <title>test-form</title>
     </head>
     <body>
+        {% if form.error_message %}
+        <p>
+            {{ form.error_message }}
+        </p>
+        {% endif %}
         <form method="post" action="/">
             <Fields form={{ form }} />
         </form>

cherrypy_foundation/tests/templates/test_url.html

@@ -1,3 +1,4 @@
+<!DOCTYPE html>
 <html lang="en">
     <head>
         <title>test-url</title>

cherrypy_foundation/tests/test_form.py

@@ -15,9 +15,11 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 import importlib
 from unittest import skipUnless
+from urllib.parse import urlencode
 
 import cherrypy
 from cherrypy.test import helper
+from parameterized import parameterized
 from wtforms.fields import BooleanField, PasswordField, StringField, SubmitField
 from wtforms.validators import InputRequired, Length
 
@@ -67,13 +69,24 @@ class LoginForm(CherryForm):
     )
 
 
+@cherrypy.tools.sessions()
 @cherrypy.tools.jinja2(env=env)
 class Root:
 
+    @cherrypy.expose
+    def index(self, **kwargs):
+        if 'login' not in cherrypy.session:
+            raise cherrypy.HTTPRedirect('/login')
+        return 'OK'
+
     @cherrypy.expose
     @cherrypy.tools.jinja2(template='test_form.html')
-    def index(self):
+    def login(self, **kwargs):
         form = LoginForm()
+        if form.validate_on_submit():
+            # login user with cherrypy.tools.auth
+            cherrypy.session['login'] = True
+            raise cherrypy.HTTPRedirect('/')
         return {'form': form}
 
 
@@ -89,7 +102,7 @@ class FormTest(helper.CPWebCase):
     def test_get_form(self):
         # Given a form
         # When querying the page that include this form
-        self.getPage("/")
+        self.getPage("/login")
         self.assertStatus(200)
         # Then each field is render properly.
         # 1. Check title
@@ -114,3 +127,22 @@ class FormTest(helper.CPWebCase):
         self.assertMatchesBody(
             '<input class="(btn-primary ?|float-end ?|btn ?){3}" container-attr="BAR" container-class="col-sm-6" id="submit" name="submit" type="submit" value="Login">'
         )
+
+    @parameterized.expand(
+        [
+            ('myuser', 'mypassword', 0, 303, False),
+            ('myuser', '', 0, 200, 'Password: This field is required.'),
+            ('', 'mypassword', 0, 200, 'User: This field is required.'),
+        ]
+    )
+    def test_post_form(self, login, password, persistent, expect_status, expect_error):
+        # Given a page with a form.
+        # When data is sent to the form.
+        self.getPage(
+            "/login", method='POST', body=urlencode({'login': login, 'password': password, 'persistent': persistent})
+        )
+        # Then page return a status
+        self.assertStatus(expect_status)
+        # Then page may return an error
+        if expect_error:
+            self.assertInBody(expect_error)

cherrypy_foundation/tools/tests/test_secure_headers.py

@@ -0,0 +1,200 @@
+# CherryPy Foundation
+# Copyright (C) 2025 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import cherrypy
+from cherrypy.test import helper
+
+from cherrypy_foundation.tools import secure_headers  # noqa
+
+
+@cherrypy.tools.secure_headers(
+    csp={
+        "default-src": "'self'",
+        "style-src": ("'self'", "'unsafe-inline'"),
+        "script-src": ("'self'", "'unsafe-inline'"),
+        "img-src": ("'self'", "data:"),
+    }
+)
+@cherrypy.tools.proxy(local=None, remote='X-Real-IP')
+class Root:
+
+    @cherrypy.expose
+    @cherrypy.tools.sessions()
+    def index(self):
+        return {'var1': 'test-jinja2'}
+
+    @cherrypy.expose
+    @cherrypy.tools.sessions()
+    def logout(self, **kwargs):
+        raise cherrypy.HTTPRedirect('/')
+
+    @cherrypy.expose
+    @cherrypy.tools.secure_headers(on=False)
+    @cherrypy.tools.sessions(on=False)
+    def static(self, value=None):
+        return 'OK'
+
+
+class SecureHeaderTest(helper.CPWebCase):
+    interactive = False
+
+    @classmethod
+    def setup_server(cls):
+        cherrypy.tree.mount(Root(), '/')
+
+    def test_cookie_samesite_lax(self):
+        # Given a request made to rdiffweb
+        # When receiving the response
+        self.getPage('/')
+        # Then the header contains Set-Cookie with SameSite=Lax
+        cookie = self.assertHeader('Set-Cookie')
+        self.assertIn('SameSite=Lax', cookie)
+
+    def test_cookie_samesite_lax_without_session(self):
+        # Given not a client sending no cookie
+        self.cookies = None
+        # When a query is made to a static path (without session)
+        self.getPage('/static/blue.css')
+        # Then Set-Cookie is not defined.
+        self.assertNoHeader('Set-Cookie')
+
+    def test_cookie_with_https(self):
+        # Given an https request made to rdiffweb
+        self.getPage('/', headers=[('X-Forwarded-Proto', 'https')])
+        # When receiving the response
+        self.assertStatus(200)
+        # Then the header contains Set-Cookie with Secure
+        cookie = self.assertHeader('Set-Cookie')
+        self.assertIn('Secure', cookie)
+
+    def test_cookie_with_http(self):
+        # Given an https request made to rdiffweb
+        self.getPage('/')
+        # When receiving the response
+        # Then the header contains Set-Cookie with Secure
+        cookie = self.assertHeader('Set-Cookie')
+        self.assertNotIn('Secure', cookie)
+
+    def test_get_with_wrong_origin(self):
+        # Given a GET request made to rdiffweb
+        # When the request is made using a different origin
+        self.getPage('/', headers=[('Origin', 'http://www.examples.com')])
+        # Then the response status it 200 OK.
+        self.assertStatus(200)
+
+    def test_post_with_wrong_origin(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made using a different origin
+        self.getPage('/logout', headers=[('Origin', 'http://www.examples.com')], method='POST')
+        # Then the request is refused with 403 Forbiden
+        self.assertStatus(403)
+        self.assertInBody('Unexpected Origin header')
+
+    def test_post_with_prefixed_origin(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made using a different origin
+        base = 'http://%s:%s' % (self.HOST + 'anything.com', self.PORT)
+        self.getPage('/logout', headers=[('Origin', base)], method='POST')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(403)
+        self.assertInBody('Unexpected Origin header')
+
+    def test_post_with_valid_origin(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made using a different origin
+        base = 'http://%s:%s' % (self.HOST, self.PORT)
+        self.getPage('/logout', headers=[('Origin', base)], method='POST')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(303)
+
+    def test_post_without_origin(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/logout', method='POST')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(303)
+
+    def test_clickjacking_defense(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertHeaderItemValue('X-Frame-Options', 'DENY')
+
+    def test_no_cache(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertHeaderItemValue('Cache-control', 'no-cache')
+        self.assertHeaderItemValue('Cache-control', 'no-store')
+        self.assertHeaderItemValue('Cache-control', 'must-revalidate')
+        self.assertHeaderItemValue('Cache-control', 'max-age=0')
+        self.assertHeaderItemValue('Pragma', 'no-cache')
+        self.assertHeaderItemValue('Expires', '0')
+
+    def test_no_cache_with_static(self):
+        self.getPage('/static')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertNoHeader('Cache-control')
+        self.assertNoHeader('Pragma')
+        self.assertNoHeader('Expires')
+
+    def test_referrer_policy(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertHeaderItemValue('Referrer-Policy', 'same-origin')
+
+    def test_nosniff(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertHeaderItemValue('X-Content-Type-Options', 'nosniff')
+
+    def test_xss_protection(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertHeaderItemValue('X-XSS-Protection', '1; mode=block')
+
+    def test_content_security_policy(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertHeaderItemValue(
+            'Content-Security-Policy',
+            "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:",
+        )
+
+    def test_strict_transport_security(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made without an origin
+        self.getPage('/', headers=[('X-Forwarded-Proto', 'https')])
+        # Then the request is accepted with 200 OK
+        self.assertStatus(200)
+        self.assertHeaderItemValue('Strict-Transport-Security', 'max-age=31536000; includeSubDomains')

{cherrypy_foundation-1.0.0a15.dist-info → cherrypy_foundation-1.0.0a16.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cherrypy-foundation
-Version: 1.0.0a15
+Version: 1.0.0a16
 Summary: CherryPy Foundation
 Author-email: Patrik Dufresne <patrik@ikus-soft.com>
 License: GPLv3
@@ -8,7 +8,6 @@ Project-URL: Homepage, https://gitlab.com/ikus-soft/cherrypy-foundation
 Classifier: Development Status :: 4 - Beta
 Classifier: Framework :: CherryPy
 Classifier: Intended Audience :: System Administrators
-Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
@@ -22,12 +21,22 @@ Requires-Dist: jinjax
 Requires-Dist: pytz
 Requires-Dist: WTForms>=3.2.1
 Provides-Extra: test
-Requires-Dist: ldap3; extra == "test"
 Requires-Dist: apscheduler; extra == "test"
-Requires-Dist: sqlalchemy; extra == "test"
+Requires-Dist: argon2-cffi; extra == "test"
+Requires-Dist: ldap3; extra == "test"
 Requires-Dist: parameterized; extra == "test"
 Requires-Dist: pytest; extra == "test"
+Requires-Dist: requests_oauthlib; extra == "test"
 Requires-Dist: selenium; extra == "test"
+Requires-Dist: sqlalchemy; extra == "test"
+Provides-Extra: ldap
+Requires-Dist: ldap3; extra == "ldap"
+Provides-Extra: oauth
+Requires-Dist: requests_oauthlib; extra == "oauth"
+Provides-Extra: passwd
+Requires-Dist: argon2-cffi; extra == "passwd"
+Provides-Extra: scheduler
+Requires-Dist: apscheduler; extra == "scheduler"
 Dynamic: license-file
 
 # Cherrypy-foundation
@@ -39,4 +48,12 @@ Dynamic: license-file
 <a href="https://sonar.ikus-soft.com/dashboard?id=cherrypy-foundation"><img alt="Coverage" src="https://sonar.ikus-soft.com/api/project_badges/measure?project=cherrypy-foundation&metric=coverage"></a>
 </p>
 
-This project is a collection of common utilities for creating web applications with CherryPy. It provides integrations with SQLAlchemy, Jinja2, WTForms, and Bootstrap.
+This project provides a collection of reusable utilities that simplify
+building web applications with CherryPy. It offers built-in integrations
+with SQLAlchemy for database access, Jinja2 for templating, WTForms for
+form handling, and Bootstrap for UI components, helping streamline
+application development.
+
+# Usage
+
+TODO

{cherrypy_foundation-1.0.0a15.dist-info → cherrypy_foundation-1.0.0a16.dist-info}/RECORD

@@ -96,16 +96,15 @@ cherrypy_foundation/plugins/tests/test_smtp.py,sha256=qs5yezIpSXkBmLmFlqckfPW7Nm
 cherrypy_foundation/tests/__init__.py,sha256=VIBhEMPDIaffF7lYzA5KevcVNzALz4kykBBaO-gdKHY,2818
 cherrypy_foundation/tests/test_error_page.py,sha256=8yLK8OGbJIdUjilFIHMNBZadLKHrXnD6KSmQ3Da4LaQ,2399
 cherrypy_foundation/tests/test_flash.py,sha256=JqZDAgazlNnP3HcPFmFOWbPeDDMzc6z5fHNe-pBTin0,1976
-cherrypy_foundation/tests/test_form.py,sha256=sWsPWyXwAVkCeP5t0qIHc0Oi32Zi3kztoQ_wlDR9STc,4326
+cherrypy_foundation/tests/test_form.py,sha256=lBoGonAHeiTrNRxWaQXfiiGsHCrAPwid-5_IHIPJUhg,5542
 cherrypy_foundation/tests/test_passwd.py,sha256=gC5O4yhHyU1YRYuDc0pG0T_5zvrG2qrr6P822iyK3Rg,1956
 cherrypy_foundation/tests/test_url.py,sha256=W-RTKQuxYS2KXxCYTTtnKcxfdP9F6Fp3QKY_sBTnBmE,6434
 cherrypy_foundation/tests/templates/test_flash.html,sha256=b1S4I9v0n-Y1yoTUh2ZKNysR1NMrqv8ldvqONtmInzw,213
-cherrypy_foundation/tests/templates/test_form.html,sha256=ywaLKgWqvBdbdfnBgYmi1ihA3xK8X5YtjomA6atnJUg,206
-cherrypy_foundation/tests/templates/test_url.html,sha256=427G6AnA6zUfjPoLxsVHy3U2e_XxG4ntpZX3DIjO18Q,512
+cherrypy_foundation/tests/templates/test_form.html,sha256=liubTm2q74-3hqQb4weaGJU3sq4vdq868GdVahBafSQ,333
+cherrypy_foundation/tests/templates/test_url.html,sha256=xoyRIkIzzM8Q-M39i80P4j7Wo8Lkzh1rIzRq-40Szak,528
 cherrypy_foundation/tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cherrypy_foundation/tools/auth.py,sha256=lTSajxCiReMzm-Fl-xhTByi4yFnInEWOoNsmUMnHQhs,9761
 cherrypy_foundation/tools/auth_mfa.py,sha256=VaLvBz9wo6jTx-2mCGqFXPxl-z14f8UMWvd6_xeXd40,9212
-cherrypy_foundation/tools/errors.py,sha256=ELpAj0N9kIxC22QW5xDQJz60zMpCwgm-Twu2WpELM1A,1005
 cherrypy_foundation/tools/i18n.py,sha256=pP3QrGCHiNHVDpjdKNFKErOCm3eRYZL6W_nlz9j8eD8,17128
 cherrypy_foundation/tools/jinja2.py,sha256=xrHfk814GjlWhfqJcXTA6I2PQ3YqsSz4eHcCh9sG05U,5969
 cherrypy_foundation/tools/ratelimit.py,sha256=pT7vZRmjltNeuiQpdyXOmnpG9BcXjLaj-AXJ0e2x_zw,8300
@@ -117,6 +116,7 @@ cherrypy_foundation/tools/tests/test_auth_mfa.py,sha256=911hnBbdg5CKb613uIBrlggo
 cherrypy_foundation/tools/tests/test_i18n.py,sha256=9rK4_1HVTk2dtTh9egIymx4SP8EO8_igBQkCD4YiIys,10758
 cherrypy_foundation/tools/tests/test_jinja2.py,sha256=gLwaGeQn1Wt7Ximc_5ESHSm499vCeyqhEhPYUPJnamk,5545
 cherrypy_foundation/tools/tests/test_ratelimit.py,sha256=rrqybwMbh1GFlF2-Ut57zHPAc1uqX88aqea6VS_6p5E,3449
+cherrypy_foundation/tools/tests/test_secure_headers.py,sha256=-qry-HHINpRzFru22j9jT3Wy1seURN_hd6yQTj608Mc,7733
 cherrypy_foundation/tools/tests/components/Button.jinja,sha256=uSLp1GpEIgZNXK_GWglu0E_a1c3jHpDLI66MRfMqGhE,95
 cherrypy_foundation/tools/tests/locales/messages.pot,sha256=5K9piTRL7H5MxDXFIWJsCccSJRA0HwfCQQU8b8VYo30,40
 cherrypy_foundation/tools/tests/locales/de/LC_MESSAGES/messages.mo,sha256=bsJTVL4OefevkxeHDS3VcW3egP6Yq18LFXwjSyoqIng,336
@@ -126,8 +126,8 @@ cherrypy_foundation/tools/tests/locales/fr/LC_MESSAGES/messages.po,sha256=6_Sk9I
 cherrypy_foundation/tools/tests/templates/test_jinja2.html,sha256=s1bHmy-lyf0YW0t-LOx3ugILV2kqFoBNYxziWgrZbo0,216
 cherrypy_foundation/tools/tests/templates/test_jinjax.html,sha256=NImzIW0mUHxilFd61PSoxFC-yu1nayEVwv-5zlgD9yo,179
 cherrypy_foundation/tools/tests/templates/test_jinjax_i18n.html,sha256=yre8j7HBjpTQZHpM0PuB3ASGD3O4vKkJ-y72Fm6STgY,771
-cherrypy_foundation-1.0.0a15.dist-info/licenses/LICENSE.md,sha256=trSLYs5qlaow_bBwsLTRKpmTXsXzFksM_YUCMqrgAJQ,35149
-cherrypy_foundation-1.0.0a15.dist-info/METADATA,sha256=yFHspuRqMzwk-zpZtT_j7H7WAR4KTX38sX__MvuwPdI,2023
-cherrypy_foundation-1.0.0a15.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-cherrypy_foundation-1.0.0a15.dist-info/top_level.txt,sha256=B1vQPTLYhpKJ6W0JkRCWyAf8RPcnwJWdYxixv75-4ew,20
-cherrypy_foundation-1.0.0a15.dist-info/RECORD,,
+cherrypy_foundation-1.0.0a16.dist-info/licenses/LICENSE.md,sha256=trSLYs5qlaow_bBwsLTRKpmTXsXzFksM_YUCMqrgAJQ,35149
+cherrypy_foundation-1.0.0a16.dist-info/METADATA,sha256=xItVw-n6g3DFDtgSjtnDimz9OLCj36Lzsx9HO2QJpt0,2471
+cherrypy_foundation-1.0.0a16.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+cherrypy_foundation-1.0.0a16.dist-info/top_level.txt,sha256=B1vQPTLYhpKJ6W0JkRCWyAf8RPcnwJWdYxixv75-4ew,20
+cherrypy_foundation-1.0.0a16.dist-info/RECORD,,

cherrypy_foundation/tools/errors.py

@@ -1,27 +0,0 @@
-# Cherrypy Foundation
-# Copyright (C) 2025 IKUS Software inc.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-import sys
-
-import cherrypy
-
-
-def handle_exception(error_table):
-    t = sys.exc_info()[0]
-    code = error_table.get(t, 500)
-    cherrypy.serving.request.error_response = cherrypy.HTTPError(code).set_response
-
-
-cherrypy.tools.errors = cherrypy.Tool('before_error_response', handle_exception, priority=90)