test: cookie attribute match is case-insensitive.

d603304e · Kazuhiko Shiozaki · a0dfb228 · d603304e · d603304e · d603304e
Commit d603304e authored Nov 09, 2022 by Kazuhiko Shiozaki
4 changed files
--- a/bt5/erp5_oauth_facebook_login/TestTemplateItem/portal_components/test.erp5.testFacebookLogin.py
+++ b/bt5/erp5_oauth_facebook_login/TestTemplateItem/portal_components/test.erp5.testFacebookLogin.py
@@ -166,9 +166,9 @@ class TestFacebookLogin(ERP5TypeTestCase):
      self.portal.ERP5Site_callbackFacebookLogin(code=CODE)

    ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_facebook_hash=' in v]
-    self.assertIn('; Secure', ac_cookie)
-    self.assertIn('; HttpOnly', ac_cookie)
-    self.assertIn('; SameSite=Lax', ac_cookie)
+    self.assertIn('; secure', ac_cookie.lower())
+    self.assertIn('; httponly', ac_cookie.lower())
+    self.assertIn('; samesite=lax', ac_cookie.lower())

  def test_create_user_in_ERP5Site_createFacebookUserToOAuth(self):
    """

--- a/bt5/erp5_oauth_google_login/TestTemplateItem/portal_components/test.erp5.testGoogleLogin.py
+++ b/bt5/erp5_oauth_google_login/TestTemplateItem/portal_components/test.erp5.testGoogleLogin.py
@@ -215,9 +215,9 @@ class TestGoogleLogin(GoogleLoginTestCase):
    getUserEntry_mock.assert_called_once()

    ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_google_hash=' in v]
-    self.assertIn('; Secure', ac_cookie)
-    self.assertIn('; HttpOnly', ac_cookie)
-    self.assertIn('; SameSite=Lax', ac_cookie)
+    self.assertIn('; secure', ac_cookie.lower())
+    self.assertIn('; httponly', ac_cookie.lower())
+    self.assertIn('; samesite=lax', ac_cookie.lower())

  def test_create_user_in_ERP5Site_createGoogleUserToOAuth(self):
    """

--- a/bt5/erp5_openid_connect_client_login/TestTemplateItem/portal_components/test.erp5.testOpenIdConnectLogin.py
+++ b/bt5/erp5_openid_connect_client_login/TestTemplateItem/portal_components/test.erp5.testOpenIdConnectLogin.py
@@ -134,9 +134,9 @@ class TestOpenIdConnectLogin(OpenIdConnectLoginTestCase):
    getUserEntry_mock.assert_called_once()

    ac_cookie, = [v for (k, v) in response.listHeaders() if k.lower() == 'set-cookie' and '__ac_openidconnect_hash=' in v]
-    self.assertIn('; Secure', ac_cookie)
-    self.assertIn('; HttpOnly', ac_cookie)
-    self.assertIn('; SameSite=Lax', ac_cookie)
+    self.assertIn('; secure', ac_cookie.lower())
+    self.assertIn('; httponly', ac_cookie.lower())
+    self.assertIn('; samesite=lax', ac_cookie.lower())

  def test_existing_user(self):
    state=uuid.uuid4().hex

--- a/product/ERP5Security/tests/testERP5Security.py
+++ b/product/ERP5Security/tests/testERP5Security.py
@@ -1586,7 +1586,7 @@ class TestAuthenticationCookie(UserManagementTestCase):
    self.assertIn('; Secure', ac_cookie)

    # HttpOnly flag so that javascript cannot access cookie
-    self.assertIn('; HttpOnly', ac_cookie)
+    self.assertIn('; httponly', ac_cookie.lower())

    # SameSite=Lax flag so that cookie is not sent on cross origin requests.
    # We set Lax (and not strict) so that opening a link to ERP5 from an