import sysimport warningsfrom unittest import TestCasefrom base64 import b64decode, urlsafe_b64encodeimport mockfrom nose.tools import eq_, raisesimport sixfrom . import Receiver, Senderfrom .base import Resource, EmptyValuefrom .exc import (AlreadyProcessed,from .util import (parse_authorization_header,from .bewit import (get_bewit,# Ensure deprecation warnings are turned to exceptions 'error' )class Base(TestCase):def setUp(self):'id' : 'my-hawk-id' ,'key' : 'my hAwK sekret' ,'algorithm' : 'sha256' ,# This callable might be replaced by tests. def seen_nonce(id, nonce, ts):return False def credentials_map(self, id):# Pretend this is doing something more interesting like looking up # a credentials by ID in a database. if self.credentials['id' ] != id:raise LookupError('No credentialsuration for Hawk ID {id}' return self.credentialsclass TestConfig(Base):def test_no_id(self):del c['id' ]def test_no_key(self):del c['key' ]def test_no_algo(self):del c['algorithm' ]def test_no_credentials(self):None )def test_non_dict_credentials(self):class WeirdThing(object):def __getitem__(self, key):return 'whatever' class TestSender(Base):def setUp(self):'http://site.com/foo?bar=1 ' def Sender(self, method='GET' , **kw):'credentials' , self.credentials)'content' , '' )'content_type' , '' )return senderdef receive(self, request_header, url=None , method='GET' , **kw):'credentials_map' , self.credentials_map)'content' , '' )'content_type' , '' )'seen_nonce' , self.seen_nonce)return Receiver(credentials_map, request_header,or self.url, method, **kw)def test_get_ok(self):'GET' def test_post_ok(self):'POST' def test_post_content_ok(self):'POST' 'foo=bar&baz=2' def test_post_content_type_ok(self):'POST' '{"bar": "foobs"}' 'application/json' def test_post_content_type_with_trailing_charset(self):'POST' '{"bar": "foobs"}' 'application/json; charset=utf8' 'application/json; charset=other' )def test_missing_payload_details(self):'POST' , content=EmptyValue,def test_skip_payload_hashing(self):'POST' '{"bar": "foobs"}' 'application/json' False )'hash="' in sn.request_header)True )def test_empty_payload_hashing(self):'GET' None None 'hash="' in sn.request_header)def test_empty_payload_hashing_always_hash_false(self):'GET' None None False )'hash="' in sn.request_header)def test_empty_payload_hashing_accept_untrusted(self):'GET' None None 'hash="' in sn.request_header)True )def test_cannot_skip_content_only(self):'POST' , content=EmptyValue,'application/json' )def test_cannot_skip_content_type_only(self):'POST' , content='{"foo": "bar"}' ,def test_tamper_with_host(self):'http://TAMPERED-WITH.com ' )def test_tamper_with_method(self):'GET' )'POST' )def test_tamper_with_path(self):'http://site.com/TAMPERED?bar=1 ' )def test_tamper_with_query(self):'http://site.com/foo?bar=TAMPERED ' )def test_tamper_with_scheme(self):'https://site.com/foo?bar=1 ' )def test_tamper_with_port(self):'http://site.com:8000/foo?bar=1 ' )def test_tamper_with_content(self):'stuff=nope' )def test_non_ascii_content(self):'Ivan Kristi\u0107' def test_tamper_with_content_type(self):'POST' )'application/json' )def test_nonce_fail(self):def seen_nonce(id, nonce, ts):return True def test_nonce_ok(self):def seen_nonce(id, nonce, ts):return False def test_expired_ts(self):def test_expired_exception_reports_localtime(self):# force expiry None with mock.patch('mohawk.base.utc_now' ) as fake_now:try :except :def test_localtime_offset(self):# Without an offset this will raise an expired exception. def test_localtime_skew(self):# Without an offset this will raise an expired exception. def test_hash_tampering(self):'hash="' , 'hash="nope' )def test_bad_secret(self):'id' : 'my-hawk-id' ,'key' : 'INCORRECT; YOU FAIL' ,'algorithm' : 'sha256' ,def test_unexpected_algorithm(self):'algorithm' ] = 'sha512' # Validate with mismatched credentials (sha256). def test_invalid_credentials(self):# Create an invalid credentials. del cfg['algorithm' ]def test_unknown_id(self):'id' ] = 'someone-else' def test_bad_ext(self):'my external data' )'my external data' , 'TAMPERED' )def test_duplicate_keys(self):'someext' )', ext="otherext"' def test_ext_with_quotes(self):'quotes=""' )def test_ext_with_new_line(self):"new line \n in the middle" )def test_ext_with_equality_sign(self):"foo=bar&foo2=bar2;foo3=bar3" )'ext' ], "foo=bar&foo2=bar2;foo3=bar3" )def test_non_hawk_scheme(self):'Basic user:base64pw' )def test_invalid_key(self):'Hawk mac="validmac" unknownkey="value"' )def test_ext_with_all_valid_characters(self):"!#$%&'()*+,-./:;<=>?@[]^_`{|}~ azAZ09_" 'ext' ], valid_characters)def test_ext_with_illegal_chars(self):"something like \t is illegal" )def test_unparseable_header(self):try :'Hawk mac="somemac", unparseable' )except BadHeaderValue as exc:"Couldn't parse Hawk header" in error_msg)"unparseable" in error_msg)else :'should raise' )def test_ext_with_illegal_unicode(self):'Ivan Kristi\u0107' )def test_too_long_header(self):'a' *5000)def test_ext_with_illegal_utf8(self):# This isn't allowed because the escaped byte chars are out of # range. 'Ivan Kristi\u0107' .encode('utf8' ))def test_app_ok(self):'custom-app' 'app' ], app)def test_tampered_app(self):'custom-app' 'TAMPERED-WITH' )def test_dlg_ok(self):'custom-dlg' 'dlg' ], dlg)def test_tampered_dlg(self):'custom-dlg' 'some-app' )'TAMPERED-WITH' )def test_file_content(self):"POST" "FILE CONTENT" )def test_binary_file_content(self):"POST" "\x00\xffCONTENT\xff\x00" )def test_bad_file_content(self):"POST" "FILE CONTENT" )"BAD FILE CONTENT" )class TestReceiver(Base):def setUp(self):'http://site.com/ ' None None def receive(self, method='GET' , **kw):'url' , self.url)'sender' , None )'sender_kw' , {})'content' , '' )'content_type' , '' )'sender_url' , url)'credentials_map' ,lambda id: self.credentials)if sender:else :'content' , '' )'content_type' , '' )def respond(self, **kw):'accept_kw' , {})'content' , '' )'content_type' , '' )'receiver' , self.receiver)'content' , '' )'content_type' , '' )return receiver.response_headerdef test_invalid_credentials_lookup(self):# Return invalid credentials. lambda *a: {})def test_get_ok(self):'GET' def test_post_ok(self):'POST' def test_respond_with_wrong_content(self):'real content' ,'TAMPERED WITH' ))def test_respond_with_wrong_content_type(self):'text/html' ,'application/json' ))def test_missing_authorization(self):lambda id: self.credentials, None , '/' , 'GET' )def test_respond_with_wrong_url(self):'http://fakesite.com ' )'http://realsite.com ' )def test_respond_with_wrong_method(self):'GET' )'POST' )def test_respond_with_wrong_nonce(self):'another-nonce' ))# The nonce must match the one sent in the original request. def test_respond_with_unhashed_content(self):False , content=None ,None ,True ))def test_respond_with_expired_ts(self):'' , content_type='' )with mock.patch('mohawk.base.utc_now' ) as fn:# force an expiry try :'' , content_type='' )except TokenExpired:if isinstance(calculated, six.binary_type):'ascii' )'tsm' ], calculated)raise def test_respond_with_bad_ts_skew_ok(self):'' , content_type='' )with mock.patch('mohawk.base.utc_now' ) as fn:# Without an offset this will raise an expired exception. '' , content_type='' ,def test_respond_with_ext(self):'custom-ext' 'ext' ], ext)def test_respond_with_wrong_app(self):'TAMPERED-WITH' , dlg='delegation' ))'' , content_type='' )'real-app' , dlg='delegation' ))'' , content_type='' )def test_respond_with_wrong_dlg(self):'app' , dlg='TAMPERED-WITH' ))'' , content_type='' )'app' , dlg='real-dlg' ))'' , content_type='' )def test_receive_wrong_method(self):'GET' )'POST' , sender=wrong_sender)def test_receive_wrong_url(self):'http://fakesite.com/ ' )'http://realsite.com/ ' , sender=wrong_sender)def test_receive_wrong_content(self):'real request' ),'real request' )'TAMPERED WITH' , sender=wrong_sender)def test_expected_unhashed_empty_content(self):# This test sets up a scenario where the receiver will receive empty # strings for content and content_type and no content hash in the auth # header. # This is to account for callers that might provide empty strings for # the payload when in fact there is literally no content. In this case, # mohawk depends on the presence of the content hash in the auth header # to determine how to treat the empty strings: no hash in the header # implies that no hashing is expected to occur on the server. '' ,'' ,False ))def test_expected_unhashed_empty_content_with_content_type(self):# This test sets up a scenario where the receiver will receive an # empty content string and no content hash in the auth header, but # some value for content_type. # This is to confirm that the hash is calculated and compared (to the # hash of mock empty payload, which should fail) when it appears that # the sender has sent a 0-length payload body. '' ,'text/plain' ,False ))def test_expected_unhashed_content_with_empty_content_type(self):# This test sets up a scenario where the receiver will receive some # content but the empty string for the content_type and no content hash # in the auth header. # This is to confirm that the hash is calculated and compared (to the # hash of mock empty payload, which should fail) when the sender has # sent unhashed content. 'some content' ,'' ,False ))def test_empty_content_with_content_type(self):# This test sets up a scenario where the receiver will receive an # empty content string, some value for content_type and a content hash. # This is to confirm that the hash is calculated and compared correctly # when the sender has sent a hashed 0-length payload body. '' ,'text/plain' ,'' ,'text/plain' ))def test_expected_unhashed_no_content(self):# This test sets up a scenario where the receiver will receive None for # content and content_type and no content hash in the auth header. # This is like test_expected_unhashed_empty_content(), but tests for # the less ambiguous case where the caller has explicitly passed in None # to indicate that there is no content to hash. None ,None ,False ))def test_expected_unhashed_no_content_with_content_type(self):# This test sets up a scenario where the receiver will receive None for # content and no content hash in the auth header, but some value for # content_type. # In this case, the content will be coerced to the empty string for # hashing purposes. The request should fail, as the there is no content # hash in the request to compare against. While this may not be in # accordance with the js reference spec, it's the safest (ie. most # secure) way of handling this bizarre set of circumstances. None ,'text/plain' ,False ))def test_expected_unhashed_content_with_no_content_type(self):# This test sets up a scenario where the receiver will receive some # content but no value for the content_type and no content hash in # the auth header. # This is to confirm that the hash is calculated and compared (to the # hash of mock empty payload, which should fail) when the sender has # sent unhashed content. 'some content' ,None ,False ))def test_no_content_with_content_type(self):# This test sets up a scenario where the receiver will receive None for # the content string, some value for content_type and a content hash. # This is to confirm that coercing None to the empty string when a hash # is expected allows the hash to be calculated and compared correctly # as if the sender has sent a hashed 0-length payload body. None ,'text/plain' ,'' ,'text/plain' ))def test_cannot_receive_empty_content_only(self):'text/plain' '' ,def test_cannot_receive_empty_content_type_only(self):'' 'text/plain' ),def test_receive_wrong_content_type(self):'text/html' ),'text/html' )'application/json' ,class TestSendAndReceive(Base):def test(self):'id' : 'some-id' ,'key' : 'some secret' ,'algorithm' : 'sha256' 'https://my-site.com/ ' 'POST' # The client sends a request with a Hawk header. 'foo=bar&baz=nooz' 'application/x-www-form-urlencoded' # The server receives a request and authorizes access. lambda id: credentials,# The server responds with a similar Hawk header. 'we are friends' 'text/plain' # The client receives a response and authorizes access. class TestBewit(Base):# Test cases copied from # https://github.com/hueniverse/hawk/blob/492632da51ecedd5f59ce96f081860ad24ce6532/test/uri.js def setUp(self):'id' : '123456' ,'key' : '2983d45yun89q' ,'algorithm' : 'sha256' ,def make_credential_lookup(self, credentials_map):# Helper function to make a lookup function given a dictionary of # credentials def lookup(client_id):# Will raise a KeyError if missing; which is a subclass of # LookupError return credentials_map[client_id]return lookupdef test_bewit(self):'https://example.com/somewhere/over/the/rainbow ' ,'GET' , credentials=self.credentials,'' ,'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\' 'ascii' ), expected)def test_bewit_with_binary_id(self):# Check for exceptions in get_bewit call with binary id 'id' ] = binary_credentials['id' ].encode('ascii' )'https://example.com/somewhere/over/the/rainbow ' ,'GET' , credentials=binary_credentials,'' ,def test_bewit_with_ext(self):'https://example.com/somewhere/over/the/rainbow ' ,'GET' , credentials=self.credentials,'' ,'xandyandz' '123456\\1356420707\\kscxwNR2tJpP1T1zDLNPbB5UiKIU9tOSJXTUdG7X9h8=\\xandyandz' 'ascii' ), expected)def test_bewit_with_invalid_ext(self):'https://example.com/somewhere/over/the/rainbow ' ,'GET' , credentials=self.credentials,'' ,'xand\\yandz' )def test_bewit_with_backslashes_in_id(self):'id' ] = '123\\456' 'https://example.com/somewhere/over/the/rainbow ' ,'GET' , credentials=self.credentials,'' )def test_bewit_with_port(self):'https://example.com:8080/somewhere/over/the/rainbow ' ,'GET' , credentials=self.credentials,'' , ext='xandyandz' )'123456\\1356420707\\hZbJ3P2cKEo4ky0C8jkZAkRyCZueg4WSNbxV7vq3xHU=\\xandyandz' 'ascii' ), expected)def test_bewit_with_nonce(self):'https://example.com/somewhere/over/the/rainbow ' ,'GET' , credentials=self.credentials,'n1' )def test_bewit_invalid_method(self):'https://example.com:8080/somewhere/over/the/rainbow ' ,'POST' , credentials=self.credentials,'' )def test_strip_bewit(self):'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\' 'ascii' )"https://example.com/somewhere/over/the/rainbow?bewit={bewit} " .format(bewit=bewit)"https://example.com/somewhere/over/the/rainbow " )def test_strip_url_without_bewit(self):"https://example.com/somewhere/over/the/rainbow " def test_parse_bewit(self):'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\' 'ascii' )'123456' )'1356420707' )'IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=' )'' )def test_parse_bewit_with_ext(self):'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\xandyandz' 'ascii' )'123456' )'1356420707' )'IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=' )'xandyandz' )def test_parse_bewit_with_ext_and_backslashes(self):'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\xand\\yandz' 'ascii' )def test_parse_invalid_bewit_with_only_one_part(self):'12345' 'ascii' )def test_parse_invalid_bewit_with_only_two_parts(self):'1\\2' 'ascii' )def test_validate_bewit(self):'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\' 'ascii' )"https://example.com/somewhere/over/the/rainbow?bewit={bewit} " .format(bewit=bewit)'id' ]: self.credentials,07 + 10))def test_validate_bewit_with_ext(self):'123456\\1356420707\\kscxwNR2tJpP1T1zDLNPbB5UiKIU9tOSJXTUdG7X9h8=\\xandyandz' 'ascii' )"https://example.com/somewhere/over/the/rainbow?bewit={bewit} " .format(bewit=bewit)'id' ]: self.credentials,07 + 10))def test_validate_bewit_with_ext_and_backslashes(self):'123456\\1356420707\\b82LLIxG5UDkaChLU953mC+SMrbniV1sb8KiZi9cSsc=\\xand\\yandz' 'ascii' )"https://example.com/somewhere/over/the/rainbow?bewit={bewit} " .format(bewit=bewit)'id' ]: self.credentials,def test_validate_expired_bewit(self):'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\' 'ascii' )"https://example.com/somewhere/over/the/rainbow?bewit={bewit} " .format(bewit=bewit)'id' ]: self.credentials,def test_validate_bewit_with_unknown_credentials(self):'123456\\1356420707\\IGYmLgIqLrCe8CxvKPs4JlWIA+UjWJJouwgARiVhCAg=\\' 'ascii' )"https://example.com/somewhere/over/the/rainbow?bewit={bewit} " .format(bewit=bewit)'other_id' : self.credentials,class TestPayloadHash(Base):def test_hash_file_read_blocks(self):"\x00\xffhello world\xff\x00" )'sha256' , 'application/json' , block_size=1)'sha256' , 'application/json' , block_size=1024)quality 100%
¤ Dauer der Verarbeitung: 0.5 Sekunden
(vorverarbeitet)
¤ *© Formatika GbR, Deutschland
