o b@s UdZddlmZddlmZddlmZddlmZm Z ddl m Z ddl m Z mZmZddlmZdd lmZmZdd lmZmZdd lmZdd lmZdd lmZdZeeed<edredrddl m!Z!ddl"mZm#Z#m$Z$ddl%m&Z&ddl'm(Z(nGdddZ#GdddZ$Gddde$j)Z*Gddde$j)Z+Gddde$j)Z,Gd d!d!e#j-Z.eeGd"d#d#Z/ee Gd$d%d%Z0ee Gd&d'd'Z1ee Gd(d)d)Z2Gd*d+d+ej3Z4Gd,d-d-ej3Z5Gd.d/d/ej3Z6Gd0d1d1ej3Z7dS)2zT Tests for the implementation of the ssh-userauth service. Maintainer: Paul Swartz ) ModuleType)Optional) implementer) ConchErrorValidPublicKey)ICredentialsChecker) IAnonymousISSHPrivateKeyIUsernamePassword)UnauthorizedLogin)IRealmPortal)defertask)loopback) requireModule)unittestNkeys cryptographypyasn1)SSHProtocolChecker)r transportuserauth)NS)keydatac@eZdZGdddZdS)rc@eZdZdZdS)ztransport.SSHTransportBaseQ A stub class so that later class definitions won't die. N__name__ __module__ __qualname____doc__r#r#B/usr/lib/python3/dist-packages/twisted/conch/test/test_userauth.pySSHTransportBase"r%N)rr r!r%r#r#r#r$r!rc@r)rc@r)zuserauth.SSHUserAuthClientrNrr#r#r#r$SSHUserAuthClient(r&r(N)rr r!r(r#r#r#r$r'r'rc@s2eZdZdZddZddZd ddZd d ZdS) ClientUserAuthz" A mock user auth client. cCs(|jr tjtjSttjtjS)z If this is the first time we've been called, return a blob for the DSA key. Otherwise, return a blob for the RSA key. ) lastPublicKeyrKey fromStringrpublicRSA_opensshrsucceedpublicDSA_opensshselfr#r#r$ getPublicKey3szClientUserAuth.getPublicKeycCsttjtjS)z@ Return the private key object for the RSA key. )rr.rr+r,rprivateRSA_opensshr0r#r#r$ getPrivateKey>zClientUserAuth.getPrivateKeyNcC tdS)z/ Return 'foo' as the password. foorr.)r1promptr#r#r$ getPasswordD zClientUserAuth.getPasswordcCr6)z> Return 'foo' as the answer to two questions. )foor<r8)r1name informationanswersr#r#r$getGenericAnswersJr;z ClientUserAuth.getGenericAnswersN)rr r!r"r2r4r:r@r#r#r#r$r).s   r)c@ eZdZdZddZddZdS) OldClientAuthz~ The old SSHUserAuthClient returned a cryptography key object from getPrivateKey() and a string from getPublicKey cCsttjtjjSrA)rr.rr+r,rr3 keyObjectr0r#r#r$r4WzOldClientAuth.getPrivateKeycCstjtjSrA)rr+r,rr-blobr0r#r#r$r2ZszOldClientAuth.getPublicKeyNrr r!r"r4r2r#r#r#r$rCQs rCc@rB)ClientAuthWithoutPrivateKeyzP This client doesn't have a private key, but it does have a public key. cCdSrAr#r0r#r#r$r4cz)ClientAuthWithoutPrivateKey.getPrivateKeycCstjtjSrA)rr+r,rr-r0r#r#r$r2fz(ClientAuthWithoutPrivateKey.getPublicKeyNrGr#r#r#r$rH^s rHc@sLeZdZdZGdddZGdddZddZdd Zd d Zd d Z dS) FakeTransporta_ L{userauth.SSHUserAuthServer} expects an SSH transport which has a factory attribute which has a portal attribute. Because the portal is important for testing authentication, we need to be able to provide an interesting portal object to the L{SSHUserAuthServer}. In addition, we want to be able to capture any packets sent over the transport. @ivar packets: a list of 2-tuples: (messageType, data). Each 2-tuple is a sent packet. @type packets: C{list} @param lostConnecion: True if loseConnection has been called on us. @type lostConnection: L{bool} c@seZdZdZdZddZdS)zFakeTransport.ServicezW A mock service, representing the other service offered by the server. nancycCrIrAr#r0r#r#r$serviceStartedrJz$FakeTransport.Service.serviceStartedN)rr r!r"r=rNr#r#r#r$Service{s rOc@eZdZdZddZdS)zFakeTransport.Factoryzg A mock factory, representing the factory that spawned this user auth service. cCs|dkrtjSdS)z2 Return our fake service. noneN)rLrO)r1rservicer#r#r$ getServicesz FakeTransport.Factory.getServiceN)rr r!r"rSr#r#r#r$Factorys rTcCs(||_||j_d|_||_g|_dSNF)rTfactoryportallostConnectionrpackets)r1rWr#r#r$__init__s  zFakeTransport.__init__cCs|j||fdS)z8 Record the packet sent by the service. N)rYappend)r1 messageTypemessager#r#r$ sendPacketr5zFakeTransport.sendPacketcCdS)z Pretend that this transport encrypts traffic in both directions. The SSHUserAuthServer disables password authentication if the transport isn't encrypted. Tr#)r1 directionr#r#r$ isEncryptedszFakeTransport.isEncryptedcCs d|_dSNT)rXr0r#r#r$loseConnections zFakeTransport.loseConnectionN) rr r!r"rOrTrZr^rarcr#r#r#r$rLjs   rLc@rP)Realmz A mock realm for testing L{userauth.SSHUserAuthServer}. This realm is not actually used in the course of testing, so it returns the simplest thing that could possibly work. cGst|ddddfS)NrcSrIrAr#r#r#r#r$z%Realm.requestAvatar..r8)r1avatarIdmind interfacesr#r#r$ requestAvatarszRealm.requestAvatarN)rr r!r"rjr#r#r#r$rds rdc@eZdZdZefZddZdS)PasswordCheckerz A very simple username/password checker which authenticates anyone whose password matches their username and rejects all others. cCs&|j|jkr t|jSttdS)NzInvalid username/password pair)usernamepasswordrr.failr )r1credsr#r#r$requestAvatarIds  zPasswordChecker.requestAvatarIdN)rr r!r"r credentialInterfacesrqr#r#r#r$rl rlc@rk)PrivateKeyCheckerz A very simple public key checker which authenticates anyone whose public/private keypair is the same keydata.public/privateRSA_openssh. cCsX|jtjtjkr)|jdur&tj|j}||j|jr#|j St t t rA) rFrr+r,rr- signatureverifysigDatarmrr )r1rpobjr#r#r$rqs z!PrivateKeyChecker.requestAvatarIdN)rr r!r"r rrrqr#r#r#r$rtrsrtc@rk)AnonymousCheckerzI A simple checker which isn't supported by L{SSHUserAuthServer}. cCrIrAr#)r1 credentialsr#r#r$rqsz AnonymousChecker.requestAvatarIdN)rr r!r"rrrrqr#r#r#r$rys ryc@seZdZdZedur dZddZddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+ZdS),SSHUserAuthServerTestsz& Tests for SSHUserAuthServer. Ncannot run without cryptographycCsbt|_t|j|_|jt|jtt|_ t |j|j _ |j |j j dSrA)rdrealmr rWregisterCheckerrlrtrSSHUserAuthServer authServerrLrrNsupportedAuthenticationssortr0r#r#r$setUps   zSSHUserAuthServerTests.setUpcC|jd|_dSrA)rserviceStoppedr0r#r#r$tearDown  zSSHUserAuthServerTests.tearDowncCs(||jjjdtjtddfdS)z; Check that the authentication has failed. spassword,publickeyN) assertEqualrrrYrMSG_USERAUTH_FAILURErr1ignoredr#r#r$ _checkFaileds z#SSHUserAuthServerTests._checkFailedcCs,|jtdtdtd}||jS)z A client may request a list of authentication 'method name' values that may continue by using the "none" authentication 'method name'. See RFC 4252 Section 5.2. r7sservicerQ)rssh_USERAUTH_REQUESTr addCallbackr)r1dr#r#r$test_noneAuthentications z.SSHUserAuthServerTests.test_noneAuthenticationcsFdtdtdtddtdg}j|}fdd}||S)z When provided with correct password authentication information, the server should respond by sending a MSG_USERAUTH_SUCCESS message with no other data. See RFC 4252, Section 5.1. r7rQpasswordrcjjjtjdfgdSNrrrrrYrMSG_USERAUTH_SUCCESSrr0r#r$check zKSSHUserAuthServerTests.test_successfulPasswordAuthentication..check)joinrrrrr1packetrrr#r0r$%test_successfulPasswordAuthentications$   z.check)rr+r,rr-rFr3rsshTyperr sessionIDsignbytesrMSG_USERAUTH_REQUESTrr)r1rFrxrrurrr#r0r$'test_successfulPrivateKeyAuthentication8s,      z>SSHUserAuthServerTests.test_successfulPrivateKeyAuthenticationcstdd}dd}fdd}||jd|||jd|||jd |td td td td }|j||tS)z ssh_USERAUTH_REQUEST should raise a ConchError if tryAuth returns None. Added to catch a bug noticed by pyflakes. cSs|ddS)Nz&request should have raised ConochError)rorr#r#r$mockCbFinishedAuth\rKzOSSHUserAuthServerTests.test_requestRaisesConchError..mockCbFinishedAuthcSrIrAr#)kinduserdatar#r#r$ mockTryAuth_rJzHSSHUserAuthServerTests.test_requestRaisesConchError..mockTryAuthcs|jdSrA)errbackvalue)reasonrr#r$ mockEbBadAuthbszJSSHUserAuthServerTests.test_requestRaisesConchError..mockEbBadAuthtryAuth_cbFinishedAuth _ebBadAuthsuserrQs public-keysdata)rDeferredpatchrrr assertFailurer)r1rrrrr#rr$test_requestRaisesConchErrorUs    z3SSHUserAuthServerTests.test_requestRaisesConchErrorcsbtjtjtdtdtddtdt}j|}fdd}| |S)z@ Test that verifying a valid private key works. r7rQrrssh-rsacs*jjjtjtdtfgdS)Nr)rrrrYrMSG_USERAUTH_PK_OKrrrFr1r#r$r~sz@SSHUserAuthServerTests.test_verifyValidPrivateKey..check) rr+r,rr-rFrrrrrr#rr$test_verifyValidPrivateKeyos   z1SSHUserAuthServerTests.test_verifyValidPrivateKeycCsVtjtj}tdtdtddtdt|}|j|}| |j S)d Test that private key authentication fails when the public key is invalid. r7rQrrsssh-dsa rr+r,rr/rFrrrrrr1rFrrr#r#r$3test_failedPrivateKeyAuthenticationWithoutSignatures  zJSSHUserAuthServerTests.test_failedPrivateKeyAuthenticationWithoutSignaturecCs|tjtj}tjtj}tdtdtddtdt|t||}d|j j _ |j |}| |jS)rr7rQrrrr)rr+r,rr-rFr3rrrrrrrr)r1rFrxrrr#r#r$0test_failedPrivateKeyAuthenticationWithSignatures&   zGSSHUserAuthServerTests.test_failedPrivateKeyAuthenticationWithSignaturecCsjtjtj}td|dd}tdtdtddtdt|}|j|}| |j S) z Private key authentication fails when the public key type is unsupported or the public key is corrupt. s ssh-bad-type Nr7rQrrrrrr#r#r$test_unsupported_publickeys   z1SSHUserAuthServerTests.test_unsupported_publickeycCsRt}t|j|_|jt|||j | |j ddgdS)ah L{SSHUserAuthServer} sets up C{SSHUserAuthServer.supportedAuthentications} by checking the portal's credentials interfaces and mapping them to SSH authentication method strings. If the Portal advertises an interface that L{SSHUserAuthServer} can't map, it should be ignored. This is a white box test. rrN) rrrLrWrr~ryrNrrrrr1serverr#r#r$ test_ignoreUnknownCredInterfacess  z7SSHUserAuthServerTests.test_ignoreUnknownCredInterfacescCs|d|jjt}t|j|_dd|j_| | | d|jt}t|j|_dd|j_| | |d|jdS)z Test that the userauth service does not advertise password authentication if the password would be send in cleartext. rcSr_rUr#xr#r#r$rerfzISSHUserAuthServerTests.test_removePasswordIfUnencrypted..cS|dkSNinr#rr#r#r$reN) assertInrrrrrLrWrrarNr assertNotIn)r1clearAuthServerhalfAuthServerr#r#r$ test_removePasswordIfUnencrypteds    z7SSHUserAuthServerTests.test_removePasswordIfUnencryptedcCst|j}|tt}t||_dd|j_| | | |j dgt}t||_dd|j_| | | |j dgdS)z If the L{SSHUserAuthServer} is not advertising passwords, then an unencrypted connection should not cause any warnings or exceptions. This is a white box test. cSr_rUr#rr#r#r$rerfzSSSHUserAuthServerTests.test_unencryptedConnectionWithoutPasswords..rcSrrr#rr#r#r$rerN) r r}r~rtrrrLrrarNrrr)r1rWrrr#r#r$*test_unencryptedConnectionWithoutPasswordss      zASSHUserAuthServerTests.test_unencryptedConnectionWithoutPasswordscCst}t|_t|j|_||j d| | |jj tj dttjftdtdfg||jjdS)z0 Test that the login times out. 鰚syou took too longrN)rrrrrrLrWrrNrrrrYMSG_DISCONNECTr)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLEr assertTruerXr1timeoutAuthServerr#r#r$test_loginTimeouts(     z(SSHUserAuthServerTests.test_loginTimeoutcCs\t}t|_t|j|_|| |j d| |jj g| |jjdS)zN Test that stopping the service also stops the login timeout. rN)rrrrrrLrWrrNrrrrY assertFalserXrr#r#r$test_cancelLoginTimeouts   z.SSHUserAuthServerTests.test_cancelLoginTimeoutcsndtdtdtddtdg}tj_tdD]}j|}jjdqfd d }| |S) zm Test that the server disconnects if the client fails authentication too many times. rr7rQrrrrcs<jjjdtjdttjftdtdfdS)Nrrstoo many bad authsr)rrrrYrrrrrr0r#r$r1s  z:SSHUserAuthServerTests.test_tooManyAttempts..check) rrrrrrrangerrr)r1rirrr#r0r$test_tooManyAttempts&s$     z+SSHUserAuthServerTests.test_tooManyAttemptscCsHtdtdtddtd}t|j_|j|}||jS)zo If the user requests a service that we don't support, the authentication should fail. r7rrr)rrrrrrrrrr#r#r$test_failIfUnknownService?s$   z0SSHUserAuthServerTests.test_failIfUnknownServicecsVdd}jd|jddfdd}jddd}|t|S) aZ tryAuth() has two edge cases that are difficult to reach. 1) an authentication method auth_* returns None instead of a Deferred. 2) an authentication type that is defined does not have a matching auth_* method. Both these cases should return a Deferred which fails with a ConchError. cSrIrAr#)rr#r#r$mockAuthUrJz>SSHUserAuthServerTests.test_tryAuthEdgeCases..mockAuthauth_publickey auth_passwordNcsjddd}|tS)Nr)rrrr)rd2r0r#r$ secondTest[s z@SSHUserAuthServerTests.test_tryAuthEdgeCases..secondTestr)rrrrrr)r1rrd1r#r0r$test_tryAuthEdgeCasesIs   z,SSHUserAuthServerTests.test_tryAuthEdgeCases)rr r!r"rskiprrrrrrrrrrrrrrrrrrrrr#r#r#r$r{s0     r{c@seZdZdZedur dZddZddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZddZd d!ZdS)"SSHUserAuthClientTestsz& Tests for SSHUserAuthClient. Nr|cCs4tdt|_td|j_d|jj_|jdS)Nr7r)r)rLrO authClientrrrNr0r#r#r$rks  zSSHUserAuthClientTests.setUpcCrrA)rrr0r#r#r$rqrzSSHUserAuthClientTests.tearDowncCsT||jjd||jjjd||jjjtjt dt dt dfgdS)z; Test that client is initialized properly. r7rMrQN) rrrinstancer=rrYrrrr0r#r#r$ test_initus z SSHUserAuthClientTests.test_initcs@dgfdd}||jj_|jd|d|jjdS)z9 Test that the client succeeds properly. Ncs |d<dS)Nrr#)rRrr#r$stubSetServices zDSSHUserAuthClientTests.test_USERAUTH_SUCCESS..stubSetServicerr)rr setServicessh_USERAUTH_SUCCESSrr)r1rr#rr$test_USERAUTH_SUCCESSs    z,SSHUserAuthClientTests.test_USERAUTH_SUCCESSc Cs|jtdd||jjjdtjtdtdtddtdttj t j  f|jtddttj t j }||jjjdtjtdtdtddtd|f|jtdttj t j t|jjjttjftdtdtddtd|}tj t j}||jjjdtjtdtdtddtd|t||fd S) zJ Test that the client can authenticate with a public key. rrrr7rMsssh-dssrN)rssh_USERAUTH_FAILURErrrrYrrrr+r,rr/rFr-ssh_USERAUTH_PK_OKrrr3r)r1rFrwrxr#r#r$test_publickeys        z%SSHUserAuthClientTests.test_publickeycCsztdt}td|_d|j_||dg|j_|| d| |jjt j t dt dt dfgdS)z If the SSHUserAuthClient doesn't return anything from signData, the client should start the authentication over again by requesting 'none' authentication. r7NrrrrMrQ)rHrLrOrrrNrrY assertIsNonerrrrr)r1rr#r#r$!test_publickey_without_privatekeys  z8SSHUserAuthClientTests.test_publickey_without_privatekeycs.ddj_jd}fdd}||S)z{ If there's no public key, auth_publickey should return a Deferred called back with a False value. cSrIrAr#rr#r#r$rerfz:SSHUserAuthClientTests.test_no_publickey..rcs|dSrA)rresultr0r#r$rrKz7SSHUserAuthClientTests.test_no_publickey..check)rr2rr)r1rrr#r0r$test_no_publickeys    z(SSHUserAuthClientTests.test_no_publickeycCs|jtdd||jjjdtjtdtdtddtdf|jtdtd||jjjdtjtdtdtddtddfd S) zx Test that the client can authentication with a password. This includes changing the password. rrrr7rMrrrN) rrrrrrYrrrr0r#r#r$ test_passwords " &z$SSHUserAuthClientTests.test_passwordcCs"dd|j_||jddS)zK If getPassword returns None, tryAuth should return False. cSrIrAr#r#r#r#r$rerfz9SSHUserAuthClientTests.test_no_password..rN)rr:rrr0r#r#r$test_no_passwords z'SSHUserAuthClientTests.test_no_passwordcCs`|jtdtdtddtdd||jjjdtjdtdtdfdS) zj Make sure that the client can authenticate with the keyboard interactive method. rss Password: rrsr7N)r'ssh_USERAUTH_PK_OK_keyboard_interactiverrrrYrMSG_USERAUTH_INFO_RESPONSEr0r#r#r$test_keyboardInteractives& z/SSHUserAuthClientTests.test_keyboardInteractivecCsPd|j_g|jj_|jd||jjjtjtdtdtdfgdS)z If C{SSHUserAuthClient} gets a MSG_USERAUTH_PK_OK packet when it's not expecting it, it should fail the current authentication and move on to the next type. sunknownrr7rMrQN) rlastAuthrrYrrrrrr0r#r#r$"test_USERAUTH_PK_OK_unknown_methods  z9SSHUserAuthClientTests.test_USERAUTH_PK_OK_unknown_methodcsfdd}fdd}|j_|j_jtddjjjdtj tdtd td dtdfjtd d jjjd dddgdS)z ssh_USERAUTH_FAILURE should sort the methods by their position in SSHUserAuthClient.preferredOrder. Methods that are not in preferredOrder should be sorted at the end of that list. csjjdddS)N here is datarrr^r#r0r#r$auth_firstmethod2szNSSHUserAuthClientTests.test_USERAUTH_FAILURE_sorting..auth_firstmethodcsjjdddS)N other dataTr r#r0r#r$auth_anothermethod5szPSSHUserAuthClientTests.test_USERAUTH_FAILURE_sorting..auth_anothermethodsanothermethod,passwordrrr7rMrs"firstmethod,anothermethod,passwordrN)r r )rr) rrrrrrrrYrr)r1rrr#r0r$test_USERAUTH_FAILURE_sorting+s$   " z4SSHUserAuthClientTests.test_USERAUTH_FAILURE_sortingcCsT|jtdd|jtdd||jjjdtjdtddfdS) z If there are no more available user authentication messages, the SSHUserAuthClient should disconnect with code DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE. rrrrss(no more authentication methods availablesN)rrrrrrYrr0r#r#r$%test_disconnectIfNoMoreAuthenticationOs z.checkcs*|tddd}|jSrA)rrr@rrorr)rcheck3r1r#r$r{s z4SSHUserAuthClientTests.test_defaults..check2cSs|tdSrA)rrrr#r#r$rrKz4SSHUserAuthClientTests.test_defaults..check3) rr(rLrOrr2r4rror)r1rrr#)rrrr1r$ test_defaultsmsz$SSHUserAuthClientTests.test_defaults)rr r!r"rrrrrrrrrrrrr rrrrr#r#r#r$rcs&  > $ rc@s.eZdZedur dZGdddZddZdS) LoopbackTestsN)cannot run without cryptography or PyASN1c@s"eZdZGdddZddZdS)zLoopbackTests.Factoryc@rB)zLoopbackTests.Factory.Service TestServicecCs|jdSrA)rrcr0r#r#r$rNrKz,LoopbackTests.Factory.Service.serviceStartedcCrIrAr#r0r#r#r$rrJz,LoopbackTests.Factory.Service.serviceStoppedN)rr r!r=rNrr#r#r#r$rOs rOcCs|jSrA)rO)r1avatarr=r#r#r$rSsz LoopbackTests.Factory.getServiceN)rr r!rOrSr#r#r#r$rTs rTcs ttdj}t_j_ddj_t|_||j_dj_ |j_ ddj_ |j_ j_ d_ t }t|}tttfdd_||jj _tj|j}ddjj_d d|jj_|fd d }||S) zW Test that the userauth server and client play nicely with each other. r7cSr_rbr#rr#r#r$rerfz-LoopbackTests.test_loopback..rcSrIrAr#r#r#r#r$rerfrcstj|dkS)Nr)lensuccessfulCredentials)aId)checkerr#r$rescSr_)N_ServerLoopbackr#r#r#r#r$rerfcSr_)N_ClientLoopbackr#r#r#r#r$rerfcsjjjddS)Nr )rrrRr=rrr#r$rrEz*LoopbackTests.test_loopback..check)rrr)rTrOrr%rRrar sendKexInitrV passwordDelayrdr rr~rlrtareDonerWr loopbackAsync logPrefixrNr)r1clientr}rWrrr#)r%r1rr$ test_loopbacks4         zLoopbackTests.test_loopback)rr r!rrrTr.r#r#r#r$rs  rc@s eZdZedur dZddZdS)ModuleInitializationTestsNrcCs,|tjjdd|tjjdddS)N<r)rrrprotocolMessagesr(r0r#r#r$ test_messagess   z'ModuleInitializationTests.test_messages)rr r!rrr2r#r#r#r$r/s r/)8r"typesrtypingrzope.interfacertwisted.conch.errorrrtwisted.cred.checkersrtwisted.cred.credentialsrr r twisted.cred.errorr twisted.cred.portalr r twisted.internetrrtwisted.protocolsrtwisted.python.reflectr twisted.trialrr__annotations__twisted.conch.checkersrtwisted.conch.sshrrtwisted.conch.ssh.commonrtwisted.conch.testrr(r)rCrHr%rLrdrlrtryTestCaser{rrr/r#r#r#r$sR          #  A  }&<