o ¯bê\ã@sœdZddlZddlmZddlmZddlmZmZddl m Z m Z m Z ddl mZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZmZddlmZddl m!Z!m"Z"ddl#m$Z$ddl%m&Z&m'Z'm(Z(ddl)m*Z*ddl+m,Z,ddl-m.Z.dd„Z/Gdd„dƒZ0Gdd„dƒZ1Gdd„de1e0ej2ƒZ3Gdd„de1ej2ƒZ4Gd d!„d!e1ej2ƒZ5eej6ƒGd"d#„d#ƒZ7Gd$d%„d%ej2ƒZ8dS)&z! Tests for L{twisted.web._auth}. éN)Ú implementer)Ú verifyObject)ÚerrorÚportal)Ú ANONYMOUSÚAllowAnonymousAccessÚ'InMemoryUsernamePasswordDatabaseDontUse)ÚIUsernamePassword)Ú IPv4Address)ÚConnectionDone)ÚglobalLogPublisher)ÚFailure)ÚEventLoggingObserver)Úunittest)ÚbasicÚdigest)ÚBasicCredentialFactory)ÚHTTPAuthSessionWrapperÚUnauthorizedResource)ÚICredentialFactory)Ú IResourceÚResourceÚgetChildForRequest©Ú NOT_DONE_YET)ÚData)Ú DummyRequestcCst |¡ ¡S©N)Úbase64Ú b64encodeÚstrip)Ús©r"ú@/usr/lib/python3/dist-packages/twisted/web/test/test_httpauth.pyr%src@sJeZdZdZdd„Zddd„Zdd „Zd d „Zd d „Zdd„Z dd„Z dS)ÚBasicAuthTestsMixinz½ L{TestCase} mixin class which defines a number of tests for L{basic.BasicCredentialFactory}. Because this mixin defines C{setUp}, it must be inherited before L{TestCase}. cCs.| ¡|_d|_d|_d|_t |j¡|_dS)NsfoosdreidsS3CuR1Ty)Ú makeRequestÚrequestÚrealmÚusernameÚpasswordrrÚcredentialFactory©Úselfr"r"r#ÚsetUp0s zBasicAuthTestsMixin.setUpóGETNcCst|j›dƒ‚)zª Create a request object to be passed to L{basic.BasicCredentialFactory.decode} along with a response value. Override this in a subclass. z did not implement makeRequest)ÚNotImplementedErrorÚ __class__)r,ÚmethodÚ clientAddressr"r"r#r%7szBasicAuthTestsMixin.makeRequestcCó| tt|jƒ¡dS)zM L{BasicCredentialFactory} implements L{ICredentialFactory}. N©Ú assertTruerrr*r+r"r"r#Útest_interface?óz"BasicAuthTestsMixin.test_interfacecCsdtd |jd|jg¡ƒ}|j ||j¡}| t  |¡¡| |  |j¡¡|  |  |jd¡¡dS)zÔ L{basic.BasicCredentialFactory.decode} turns a base64-encoded response into a L{UsernamePassword} object with a password which reflects the one which was encoded in the response. óó:swrongN) rÚjoinr(r)r*Údecoder&r5r Ú providedByÚ checkPasswordÚ assertFalse©r,ÚresponseÚcredsr"r"r#Útest_usernamePasswordEs z)BasicAuthTestsMixin.test_usernamePasswordcCsXtd |jd|jg¡ƒ}| d¡}|j ||j¡}| t t |ƒ¡| |  |j¡¡dS)zz L{basic.BasicCredentialFactory.decode} decodes a base64-encoded response with incorrect padding. r8r9ó=N) rr:r(r)r r*r;r&r5rr r=r?r"r"r#Útest_incorrectPaddingRs  z)BasicAuthTestsMixin.test_incorrectPaddingcCs"d}| tj|jj|| ¡¡dS)zˆ L{basic.BasicCredentialFactory.decode} raises L{LoginFailed} if passed a response which is not base64-encoded. óxN)Ú assertRaisesrÚ LoginFailedr*r;r%©r,r@r"r"r#Útest_invalidEncoding^süz(BasicAuthTestsMixin.test_invalidEncodingcCs&tdƒ}| tj|jj|| ¡¡dS)z• L{basic.BasicCredentialFactory.decode} raises L{LoginFailed} when passed a response which is not valid base64-encoded text. s123abc+/N)rrFrrGr*r;r%rHr"r"r#Útest_invalidCredentialsksüz+BasicAuthTestsMixin.test_invalidCredentials©r.N) Ú__name__Ú __module__Ú __qualname__Ú__doc__r-r%r6rBrDrIrJr"r"r"r#r$)s   r$c@seZdZddd„ZdS)Ú RequestMixinr.NcCs,|dur tdddƒ}tdƒ}||_||_|S)zo Create a L{DummyRequest} (change me to create a L{twisted.web.http.Request} instead). NÚTCPÚ localhostiÒó/)r rr1Úclient)r,r1r2r&r"r"r#r%zs  zRequestMixin.makeRequestrK)rLrMrNr%r"r"r"r#rPysrPc@seZdZdZdS)ÚBasicAuthTestszK Basic authentication tests which use L{twisted.web.http.Request}. N)rLrMrNrOr"r"r"r#rU‡srUc@s8eZdZdZdd„Zdd„Zdd„Zdd „Zd d „Zd S) ÚDigestAuthTestszL Digest authentication tests which use L{twisted.web.http.Request}. cCs,d|_d|_t |j|j¡|_| ¡|_dS)z> Create a DigestCredentialFactory for testing ó test realmómd5N)r'Ú algorithmrÚDigestCredentialFactoryr*r%r&r+r"r"r#r-’s ÿzDigestAuthTests.setUpcsnd‰d‰dg‰tƒ‰‡‡‡‡‡fdd„}ˆ ˆjjd|¡ˆ ˆtdˆdƒ¡}ˆj ˆ|¡ˆ ˆd ¡d S) zÅ L{digest.DigestCredentialFactory.decode} calls the C{decode} method on L{twisted.cred.digest.DigestCredentialFactory} with the HTTP method and host of the request. s 169.254.0.1r.Fcs0ˆ ˆ|¡ˆ ˆ|¡ˆ ˆ|¡dˆd<dS)NTr)Ú assertEqual)Ú _responseÚ_methodÚ_host©ÚdoneÚhostr1r@r,r"r#Úcheck¨s    z*DigestAuthTests.test_decode..checkr;rQéQrN)ÚobjectÚpatchr*rr%r r;r5)r,rbÚreqr"r_r#Ú test_decodeszDigestAuthTests.test_decodecCr3)zN L{DigestCredentialFactory} implements L{ICredentialFactory}. Nr4r+r"r"r#r6³r7zDigestAuthTests.test_interfacecCst|j |j¡}| |dd¡| |dd¡| |dd¡| d|¡| d|¡| ¡D]}| d |¡q/d S) ah The challenge issued by L{DigestCredentialFactory.getChallenge} must include C{'qop'}, C{'realm'}, C{'algorithm'}, C{'nonce'}, and C{'opaque'} keys. The values for the C{'realm'} and C{'algorithm'} keys must match the values supplied to the factory's initializer. None of the values may have newlines in them. Úqopóauthr'rWrYrXÚnonceÚopaqueó N)r*Ú getChallenger&r[ÚassertInÚvaluesÚ assertNotIn)r,Ú challengeÚvr"r"r#Útest_getChallenge¹s   ÿz!DigestAuthTests.test_getChallengecCsd| dd¡}|j |¡}| |dd¡| |dd¡| |dd¡| d |¡| d |¡dS) z  L{DigestCredentialFactory.getChallenge} can issue a challenge even if the L{Request} it is passed returns L{None} from C{getClientIP}. r.Nrhrir'rWrYrXrjrk)r%r*rmr[rn)r,r&rqr"r"r#Ú test_getChallengeWithoutClientIPÊs   z0DigestAuthTests.test_getChallengeWithoutClientIPN) rLrMrNrOr-rgr6rsrtr"r"r"r#rVs  rVc@s@eZdZdZdd„Zdd„Zdd„Zdd „Zd d „Zd d „Z dS)ÚUnauthorizedResourceTestsz, Tests for L{UnauthorizedResource}. cCs4tgƒ}| | dd¡|¡| | dd¡|¡dS)zF An L{UnauthorizedResource} is every child of itself. ÚfooNÚbar)rÚassertIdenticalÚgetChildWithDefault)r,Úresourcer"r"r#Útest_getChildWithDefaultÝsz2UnauthorizedResourceTests.test_getChildWithDefaultcCs@ttdƒgƒ}| |¡| |jd¡| |j d¡dg¡dS)zç Render L{UnauthorizedResource} for the given request object and verify that the response code is I{Unauthorized} and that a I{WWW-Authenticate} header is set in the response containing a challenge. ú example.comé‘ówww-authenticatesbasic realm="example.com"N)rrÚrenderr[Ú responseCodeÚresponseHeadersÚ getRawHeaders)r,r&rzr"r"r#Ú_unauthorizedRenderTestås  þz1UnauthorizedResourceTests._unauthorizedRenderTestcCs*| ¡}| |¡| dd |j¡¡dS)zº L{UnauthorizedResource} renders with a 401 response code and a I{WWW-Authenticate} header and puts a simple unauthorized message into the response body. s Unauthorizedr8N©r%rƒr[r:Úwritten©r,r&r"r"r#Ú test_renderós z%UnauthorizedResourceTests.test_rendercCs.|jdd}| |¡| dd |j¡¡dS)z´ The rendering behavior of L{UnauthorizedResource} for a I{HEAD} request is like its handling of a I{GET} request, but no response body is written. sHEAD)r1r8Nr„r†r"r"r#Útest_renderHEADýs  z)UnauthorizedResourceTests.test_renderHEADcCs:ttdƒgƒ}| ¡}| |¡| |j d¡dg¡dS)z¾ The realm value included in the I{WWW-Authenticate} header set in the response when L{UnauthorizedResounrce} is rendered has quotes and backslashes escaped. z example\"foor~sbasic realm="example\\\"foo"N)rrr%rr[rr‚)r,rzr&r"r"r#Útest_renderQuotesRealms  þz0UnauthorizedResourceTests.test_renderQuotesRealmcCsPtt dd¡gƒ}| ¡}| |¡|j d¡d}| d|¡| d|¡dS)z¾ The digest value included in the I{WWW-Authenticate} header set in the response when L{UnauthorizedResource} is rendered has quotes and backslashes escaped. rXs example\"foor~rsrealm="example\\\"foo"shm="md5N)rrrZr%rrr‚rn)r,rzr&Ú authHeaderr"r"r#Útest_renderQuotesDigests ÿ  z1UnauthorizedResourceTests.test_renderQuotesDigestN) rLrMrNrOr{rƒr‡rˆr‰r‹r"r"r"r#ruØs  ruc@s(eZdZdZdd„Zdd„Zdd„ZdS) ÚRealmaJ A simple L{IRealm} implementation which gives out L{WebAvatar} for any avatarId. @type loggedIn: C{int} @ivar loggedIn: The number of times C{requestAvatar} has been invoked for L{IResource}. @type loggedOut: C{int} @ivar loggedOut: The number of times the logout callback has been invoked. cCsd|_d|_||_dS)Nr)Ú loggedOutÚloggedInÚ avatarFactory)r,rr"r"r#Ú__init__5s zRealm.__init__cGs.t|vr|jd7_t| |¡|jfStƒ‚©Né)rrŽrÚlogoutr/)r,ÚavatarIdÚmindÚ interfacesr"r"r#Ú requestAvatar:szRealm.requestAvatarcCs|jd7_dSr‘)rr+r"r"r#r“@óz Realm.logoutN)rLrMrNrOrr—r“r"r"r"r#rŒ(s   rŒc@s¤eZdZdZeZdd„Zdd„Zdd„Zdd „Z d d „Z d d „Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Zd d!„Zd"d#„Zd$d%„Zd&S)'ÚHTTPAuthHeaderTestsz. Tests for L{HTTPAuthSessionWrapper}. cCs¨d|_d|_d|_d|_d|_tƒ|_|j |j|j¡t|jdƒ|_ |j   |jt|jdƒ¡|j|j i|_ t |j j ƒ|_t |j|jg¡|_g|_t|j|jƒ|_dS)z\ Create a realm, portal, and L{HTTPAuthSessionWrapper} to use in the tests. sfoo barsbar bazs&contents of the avatar resource itselfs foo-childs'contents of the foo child of the avatarú text/plainN)r(r)Ú avatarContentÚ childNameÚ childContentrÚcheckerÚaddUserrÚavatarÚputChildÚavatarsrŒÚgetr'rÚPortalÚcredentialFactoriesrÚwrapperr+r"r"r#r-KszHTTPAuthHeaderTests.setUpcCs2t|jd|jƒ}|j dd|¡t|j|ƒS)z¹ Add an I{basic authorization} header to the given request and then dispatch it, starting from C{self.wrapper} and returning the resulting L{IResource}. r9ó authorizationóBasic )rr(r)ÚrequestHeadersÚ addRawHeaderrr¦)r,r&Ú authorizationr"r"r#Ú_authorizedBasicLogin^s z)HTTPAuthHeaderTests._authorizedBasicLogincsHˆ ˆjg¡‰tˆjˆƒ}ˆ ¡}‡‡fdd„}| |¡ˆ |¡|S)z× Resource traversal which encounters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} instance when the request does not have the required I{Authorization} headers. cóˆ ˆjd¡dS©Nr}©r[r€©Úresult©r&r,r"r#Ú cbFinishedrr˜z@HTTPAuthHeaderTests.test_getChildWithDefault..cbFinished)r%rœrr¦Ú notifyFinishÚ addCallbackr©r,ÚchildÚdr³r"r²r#r{hs   z,HTTPAuthHeaderTests.test_getChildWithDefaultcsfˆj tdƒ¡ˆ ˆjg¡‰ˆj d|¡tˆjˆƒ}ˆ  ¡}‡‡fdd„}|  |¡ˆ  |¡|S)a( Create a request with the given value as the value of an I{Authorization} header and perform resource traversal with it, starting at C{self.wrapper}. Assert that the result is a 401 response code. Return a L{Deferred} which fires when this is all done. r|r§cr­r®r¯r°r²r"r#r³†r˜zAHTTPAuthHeaderTests._invalidAuthorizationTest..cbFinished) r¥Úappendrr%rœr©rªrr¦r´rµr)r,r@r·r¸r³r"r²r#Ú_invalidAuthorizationTestys   z-HTTPAuthHeaderTests._invalidAuthorizationTestcCs| dtdƒ¡S)zÚ Resource traversal which enouncters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} when the request has an I{Authorization} header with a user which does not exist. r¨sfoo:bar)rºrr+r"r"r#Ú(test_getChildWithDefaultUnauthorizedUserszHTTPAuthHeaderTests.test_getChildWithDefaultUnrecognizedSchemecsVˆj tdƒ¡ˆ ˆjg¡‰ˆ ˆ¡}ˆ ¡}‡‡fdd„}| |¡ˆ |¡|S)zû Resource traversal which encounters an L{HTTPAuthSessionWrapper} results in an L{IResource} which renders the L{IResource} avatar retrieved from the portal when the request has a valid I{Authorization} header. r|cóˆ ˆjˆjg¡dSr)r[r…r©Úignoredr²r"r#r³´ózJHTTPAuthHeaderTests.test_getChildWithDefaultAuthorized..cbFinished) r¥r¹rr%rœr¬r´rµrr¶r"r²r#Ú"test_getChildWithDefaultAuthorized¨s   z6HTTPAuthHeaderTests.test_getChildWithDefaultAuthorizedcsRˆj tdƒ¡ˆ g¡‰ˆ ˆ¡}ˆ ¡}‡‡fdd„}| |¡ˆ |¡|S)a Resource traversal which terminates at an L{HTTPAuthSessionWrapper} and includes correct authentication headers results in the L{IResource} avatar (not one of its children) retrieved from the portal being rendered. r|cr¾r)r[r…r›r¿r²r"r#r³ÈrÁz=HTTPAuthHeaderTests.test_renderAuthorized..cbFinished)r¥r¹rr%r¬r´rµrr¶r"r²r#Útest_renderAuthorized»s    z)HTTPAuthHeaderTests.test_renderAuthorizedcsrttƒGdd„dƒƒ}|ƒ‰ˆj ˆ¡ˆ ˆjg¡‰tˆjˆƒ}ˆ ¡}‡‡‡fdd„}|  |¡ˆ  |¡|S)zº When L{HTTPAuthSessionWrapper} finds an L{ICredentialFactory} to issue a challenge, it calls the C{getChallenge} method with the request as an argument. c@s eZdZdZdd„Zdd„ZdS)zUHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactorysdumbcSs g|_dSr)Úrequestsr+r"r"r#rÚs z^HTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactory.__init__cSs|j |¡iSr)rÄr¹r†r"r"r#rmÝs zbHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactory.getChallengeN)rLrMrNÚschemerrmr"r"r"r#ÚDumbCredentialFactoryÖs rÆcsˆ ˆjˆg¡dSr)r[rÄr¿©Úfactoryr&r,r"r#r³çózJHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..cbFinished) rrr¥r¹r%rœrr¦r´rµr)r,rÆr·r¸r³r"rÇr#Ú"test_getChallengeCalledWithRequestÏs    z6HTTPAuthHeaderTests.test_getChallengeCalledWithRequestcCsh|j tdƒ¡Gdd„dtƒ}|j |j|ƒ¡| |jg¡}| |¡}|  |¡|  |j j d¡|S)a Issue a request for an authentication-protected resource using valid credentials and then return the C{DummyRequest} instance which was used. This is a helper for tests about the behavior of the logout callback. r|c@seZdZdd„ZdS)z7HTTPAuthHeaderTests._logoutTest..SlowerResourcecSstSrrr†r"r"r#rúóz>HTTPAuthHeaderTests._logoutTest..SlowerResource.renderN)rLrMrNrr"r"r"r#ÚSlowerResourceùs rÌr) r¥r¹rrr r¡rœr%r¬rr[r'r)r,rÌr&r·r"r"r#Ú _logoutTestîs   zHTTPAuthHeaderTests._logoutTestcCs$| ¡}| ¡| |jjd¡dS)zX The realm's logout callback is invoked after the resource is rendered. r’N)rÍÚfinishr[r'rr†r"r"r#Ú test_logoutszHTTPAuthHeaderTests.test_logoutcCs.| ¡}| ttdƒƒ¡| |jjd¡dS)zª The realm's logout callback is also invoked if there is an error generating the response (for example, if the client disconnects early). zSimulated disconnectr’N)rÍÚprocessingFailedr r r[r'rr†r"r"r#Útest_logoutOnError sz&HTTPAuthHeaderTests.test_logoutOnErrorcCsH|j tdƒ¡| |jg¡}|j dd¡t|j|ƒ}|  |t ¡dS)zã Resource traversal which enouncters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} when the request has a I{Basic Authorization} header which cannot be decoded using base64. r|r§sBasic decode should failN) r¥r¹rr%rœr©rªrr¦ÚassertIsInstancer)r,r&r·r"r"r#Útest_decodeRaisessÿ z%HTTPAuthHeaderTests.test_decodeRaisescCsHd}| |j |¡d¡tdƒ}|j |¡| |j |¡|df¡dS)zì L{HTTPAuthSessionWrapper._selectParseHeader} returns a two-tuple giving the L{ICredentialFactory} to use to parse the header and a string containing the portion of the header which remains to be parsed. sBasic abcdef123456)NNr|s abcdef123456N)r[r¦Ú_selectParseHeaderrr¥r¹)r,ÚbasicAuthorizationrÈr"r"r#Útest_selectParseResponse$s ÿ  þz,HTTPAuthHeaderTests.test_selectParseResponsecs¼t |t¡}Gdd„dtƒ‰G‡fdd„dƒ}|j |ƒ¡| |jg¡}|j  dd¡t |j |ƒ}|  |¡|  |jd¡| dt|ƒ¡| |d d jˆ¡|  t| ˆ¡ƒd¡d S) z´ Any unexpected exception raised by the credential factory's C{decode} method results in a 500 response code and causes the exception to be logged. c@ó eZdZdS)zKHTTPAuthHeaderTests.test_unexpectedDecodeError..UnexpectedExceptionN©rLrMrNr"r"r"r#ÚUnexpectedException=órÙcs$eZdZdZdd„Z‡fdd„ZdS)zBHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactorysbadcSsiSrr")r,rTr"r"r#rmCrËzOHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactory.getChallengec󈃂rr")r,r@r&©rÙr"r#r;FózIHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactory.decodeN)rLrMrNrÅrmr;r"rÜr"r#Ú BadFactory@srÞr§sBad abcéôr’rÚ log_failureN)rÚcreateWithCleanupr Ú Exceptionr¥r¹r%rœr©rªrr¦rr[r€Ú assertEqualsÚlenrÒÚvalueÚflushLoggedErrors)r,Ú logObserverrÞr&r·r"rÜr#Útest_unexpectedDecodeError5s    z.HTTPAuthHeaderTests.test_unexpectedDecodeErrorcs¼t |t¡}Gdd„dtƒ‰G‡fdd„dƒ}|j |ƒ¡|j tdƒ¡|  |j g¡}|  |¡}|  |¡|  |jd¡| dt|ƒ¡| |dd jˆ¡|  t| ˆ¡ƒd¡d S) z‰ Any unexpected failure from L{Portal.login} results in a 500 response code and causes the failure to be logged. c@r×)zJHTTPAuthHeaderTests.test_unexpectedLoginError..UnexpectedExceptionNrØr"r"r"r#rÙZrÚrÙcseZdZefZ‡fdd„ZdS)zDHTTPAuthHeaderTests.test_unexpectedLoginError..BrokenCheckercrÛrr")r,Ú credentialsrÜr"r#ÚrequestAvatarId`rÝzTHTTPAuthHeaderTests.test_unexpectedLoginError..BrokenChecker.requestAvatarIdN)rLrMrNr ÚcredentialInterfacesrêr"rÜr"r#Ú BrokenChecker]srìr|rßr’rràN)rrár rârÚregisterCheckerr¥r¹rr%rœr¬rr[r€rãrärÒråræ)r,rçrìr&r·r"rÜr#Útest_unexpectedLoginErrorSs   z-HTTPAuthHeaderTests.test_unexpectedLoginErrorcs’d‰tƒˆjt<ˆjt ˆjtˆdƒ¡ˆj tƒ¡ˆj   t dƒ¡ˆ  ˆjg¡‰t ˆjˆƒ}ˆ ¡}‡‡‡fdd„}| |¡ˆ |¡|S)zl Anonymous requests are allowed if a L{Portal} has an anonymous checker registered. s*contents of the unprotected child resourceršr|csˆ ˆjˆg¡dSr)r[r…r¿©r&r,ÚunprotectedContentsr"r#r³rÉz.cbFinished)rr¢rr¡rœrrrírr¥r¹rr%rr¦r´rµrr¶r"rïr#Útest_anonymousAccessms   ÿ   z(HTTPAuthHeaderTests.test_anonymousAccessN)rLrMrNrOrr%r-r¬r{rºr»r¼r½rÂrÃrÊrÍrÏrÑrÓrÖrèrîrñr"r"r"r#r™Ds*    r™)9rOrÚzope.interfacerÚzope.interface.verifyrÚ twisted.credrrÚtwisted.cred.checkersrrrÚtwisted.cred.credentialsr Útwisted.internet.addressr Útwisted.internet.errorr Útwisted.loggerr Útwisted.python.failurer Útwisted.test.proto_helpersrÚ twisted.trialrÚtwisted.web._authrrÚtwisted.web._auth.basicrÚtwisted.web._auth.wrapperrrÚtwisted.web.iwebrÚtwisted.web.resourcerrrÚtwisted.web.serverrÚtwisted.web.staticrÚtwisted.web.test.test_webrrr$rPÚTestCaserUrVruÚIRealmrŒr™r"r"r"r#Ús<              PK M