o ¯b¤]ã@s¬dZddlZddlmZddlmZmZddlmZddl m Z m Z m Z m Z mZddlmZddlmZdd lmZdd lmZd d „ZGd d„de ƒZGdd„deƒZdS)z[ Tests for L{twisted.cred._digest} and the associated bits in L{twisted.cred.credentials}. éN)Úhexlify)Úmd5Úsha1)Ú verifyObject)ÚDigestCredentialFactoryÚIUsernameDigestHashÚcalcHA1ÚcalcHA2Ú calcResponse)Ú LoginFailed)Ú IPv4Address)Ú networkString)ÚTestCasecCst |¡ ¡S)N)Úbase64Ú b64encodeÚstrip)Ús©rúC/usr/lib/python3/dist-packages/twisted/cred/test/test_digestauth.pyrsrcs0eZdZdZ‡fdd„Zdd„Zdd„Z‡ZS)ÚFakeDigestCredentialFactoryz\ A Fake Digest Credential Factory that generates a predictable nonce and opaque cstƒj|i|¤Žd|_dS)Nó0)ÚsuperÚ__init__Ú privateKey)ÚselfÚargsÚkwargs©Ú __class__rrr's z$FakeDigestCredentialFactory.__init__cCódS)z) Generate a static nonce s178288758716122392881254770685r©rrrrÚ_generateNonce+óz*FakeDigestCredentialFactory._generateNoncecCr)z& Return a stable time rrr rrrÚ_getTime1r"z$FakeDigestCredentialFactory._getTime)Ú__name__Ú __module__Ú __qualname__Ú__doc__rr!r#Ú __classcell__rrrrr!s  rc@sZeZdZdZdd„Zdefdd„Zdd„Zd d „Zdefd d „Z defd d„Z dd„Z dd„Z dd„Z dd„Zdefdd„Zdd„Zdd„Zdefdd„Zdd „Zd!d"„ZdOd$d%„Zd&d'„ZdOd(d)„Zd*d+„Zd,d-„Zd.d/„Zd0d1„Zd2d3„Zd4d5„Zd6d7„Zd8d9„Zd:d;„Z dd?„Z"d@dA„Z#dBdC„Z$dDdE„Z%dFdG„Z&dHdI„Z'dJdK„Z(dLdM„Z)dNS)PÚDigestAuthTestsz¸ L{TestCase} mixin class which defines a number of tests for L{DigestCredentialFactory}. Because this mixin defines C{setUp}, it must be inherited before L{TestCase}. cCsRd|_d|_d|_d|_d|_d|_d|_tdd d ƒ|_d |_ t |j|jƒ|_ d S) z> Create a DigestCredentialFactory for testing ófoobarsbazquuxs test realmómd5s 29fc54aa1641c6fa0e151419361c8f23óauths/write/ÚTCPz10.2.3.4iu¨óGETN) ÚusernameÚpasswordÚrealmÚ algorithmÚcnonceÚqopÚurir Ú clientAddressÚmethodrÚcredentialFactoryr rrrÚsetUp?szDigestAuthTests.setUpr+cCsTd}t||j|j|j||jƒ}d |j|j|jf¡}t||ƒ ¡ƒ}| ||¡dS)zŽ L{calcHA1} accepts the C{'md5'} algorithm and returns an MD5 hash of its parameters, excluding the nonce and cnonce. s abc123xyzó:N) rr/r1r0r3ÚjoinrÚdigestÚ assertEqual)rÚ _algorithmÚ_hashÚnonceÚhashA1Úa1ÚexpectedrrrÚtest_MD5HashA1NsÿzDigestAuthTests.test_MD5HashA1cCs~d}td|j|j|j||jƒ}|jd|jd|j}tt|ƒ ¡ƒ}|d|d|j}tt|ƒ ¡ƒ}| ||¡dS)z“ L{calcHA1} accepts the C{'md5-sess'} algorithm and returns an MD5 hash of its parameters, including the nonce and cnonce. s xyz321abcómd5-sessr:N) rr/r1r0r3rrr<r=)rr@rArBÚha1rCrrrÚtest_MD5SessionHashA1[sÿz%DigestAuthTests.test_MD5SessionHashA1cCó| dt¡dS)z L{calcHA1} accepts the C{'sha'} algorithm and returns a SHA hash of its parameters, excluding the nonce and cnonce. óshaN)rDrr rrrÚtest_SHAHashA1józDigestAuthTests.test_SHAHashA1cCsDd}t|||jddƒ}|d|j}t||ƒ ¡ƒ}| ||¡dS)z± L{calcHA2} accepts the C{'md5'} algorithm and returns an MD5 hash of its arguments, excluding the entity hash for QOP other than C{'auth-int'}. r.r,Nr:©r r5rr<r=)rr>r?r7ÚhashA2Úa2rCrrrÚtest_MD5HashA2Authqs z"DigestAuthTests.test_MD5HashA2AuthcCsPd}d}t|||jd|ƒ}|d|jd|}t||ƒ ¡ƒ}| ||¡dS)z¡ L{calcHA2} accepts the C{'md5'} algorithm and returns an MD5 hash of its arguments, including the entity hash for QOP of C{'auth-int'}. r.s foobarbazsauth-intr:NrL)rr>r?r7ÚhentityrMrNrCrrrÚtest_MD5HashA2AuthInt}s z%DigestAuthTests.test_MD5HashA2AuthIntcCó| d¡dS)zŸ L{calcHA2} accepts the C{'md5-sess'} algorithm and QOP of C{'auth'} and returns the same value as it does for the C{'md5'} algorithm. rEN)rOr rrrÚtest_MD5SessHashA2Auth‰óz&DigestAuthTests.test_MD5SessHashA2AuthcCrR)z£ L{calcHA2} accepts the C{'md5-sess'} algorithm and QOP of C{'auth-int'} and returns the same value as it does for the C{'md5'} algorithm. rEN)rQr rrrÚtest_MD5SessHashA2AuthIntrTz)DigestAuthTests.test_MD5SessHashA2AuthIntcCrH)z° L{calcHA2} accepts the C{'sha'} algorithm and returns a SHA hash of its arguments, excluding the entity hash for QOP other than C{'auth-int'}. rIN)rOrr rrrÚtest_SHAHashA2Auth—óz"DigestAuthTests.test_SHAHashA2AuthcCrH)z  L{calcHA2} accepts the C{'sha'} algorithm and returns a SHA hash of its arguments, including the entity hash for QOP of C{'auth-int'}. rIN)rQrr rrrÚtest_SHAHashA2AuthIntŸrKz%DigestAuthTests.test_SHAHashA2AuthIntc CsTd}d}d}|d|d|}t||ƒ ¡ƒ}t||||dddƒ}| ||¡dS)zâ L{calcResponse} accepts the C{'md5'} algorithm and returns an MD5 hash of its parameters, excluding the nonce count, client nonce, and QoP value if the nonce count and client nonce are L{None} óabc123ó789xyzólmnopqr:N©rr<r r=) rr>r?rArMr@ÚresponserCr<rrrÚtest_MD5HashResponse¦sz$DigestAuthTests.test_MD5HashResponsecCrR)zç L{calcResponse} accepts the C{'md5-sess'} algorithm and returns an MD5 hash of its parameters, excluding the nonce count, client nonce, and QoP value if the nonce count and client nonce are L{None} rEN)r^r rrrÚtest_MD5SessionHashResponse¶óz+DigestAuthTests.test_MD5SessionHashResponsecCrH)zá L{calcResponse} accepts the C{'sha'} algorithm and returns a SHA hash of its parameters, excluding the nonce count, client nonce, and QoP value if the nonce count and client nonce are L{None} rIN)r^rr rrrÚtest_SHAHashResponse¾rWz$DigestAuthTests.test_SHAHashResponsec Csxd}d}d}d}d}d}|d|d|d|d|d|} t|| ƒ ¡ƒ} t|||||||ƒ} | | | ¡dS) zÉ L{calcResponse} accepts the C{'md5'} algorithm and returns an MD5 hash of its parameters, including the nonce count, client nonce, and QoP value if they are specified. rYrZr[s00000004s abcxyz123r,r:Nr\) rr>r?rArMr@Ú nonceCountÚ clientNoncer4r]rCr<rrrÚtest_MD5HashResponseExtraÆsBÿþýüûúùø ÷ öÿ ÿz)DigestAuthTests.test_MD5HashResponseExtracCrR)zÎ L{calcResponse} accepts the C{'md5-sess'} algorithm and returns an MD5 hash of its parameters, including the nonce count, client nonce, and QoP value if they are specified. rEN)rdr rrrÚ test_MD5SessionHashResponseExtraçr`z0DigestAuthTests.test_MD5SessionHashResponseExtracCrH)zÈ L{calcResponse} accepts the C{'sha'} algorithm and returns a SHA hash of its parameters, including the nonce count, client nonce, and QoP value if they are specified. rIN)rdrr rrrÚtest_SHAHashResponseExtraïrWz)DigestAuthTests.test_SHAHashResponseExtraTc s–d|vr |j|d<d|vr|j|d<d|vr|j|d<d|vr$|j|d<d|vr-|j|d<d|vr6|j|d<|r;d‰nd‰d  ‡fd d „| ¡Dƒ¡S) aþ Format all given keyword arguments and their values suitably for use as the value of an HTTP header. @types quotes: C{bool} @param quotes: A flag indicating whether to quote the values of each field in the response. @param **kw: Keywords and C{bytes} values which will be treated as field name/value pairs to include in the result. @rtype: C{bytes} @return: The given fields formatted for use as an HTTP header value. r/r1r2r4r3r5ó"ós, c s0g|]\}}|durd t|ƒdˆ|ˆf¡‘qS)Nrhó=)r;r )Ú.0ÚkÚv©ÚquoterrÚ s þz2DigestAuthTests.formatResponse..)r/r1r2r4r3r5r;Úitems)rÚquotesÚkwrrmrÚformatResponse÷s(       þÿzDigestAuthTests.formatResponsec Csh| d¡}| d¡ ¡}| d¡}t||j|j|j||jƒ}t|d|j|dƒ}t ||||||j|ƒ}|S)z@ Calculate the response for the given challenge r@r2r4r.N) ÚgetÚlowerrr/r1r0r3r r5r ) rÚ challengeÚncountr@Úalgor4rFÚha2rCrrrÚgetDigestResponses  ÿz!DigestAuthTests.getDigestResponsecCsz|j |jj¡}d}|j||d| ||¡||dd}|j ||j|jj¡}| |  |j ¡¡|  |  |j d¡¡dS)zš L{DigestCredentialFactory.decode} accepts a digest challenge response and parses it into an L{IUsernameHashedPassword} provider. ó00000001r@Úopaque)rqr@r]Úncr|ówrongN© r8Ú getChallenger6ÚhostrsrzÚdecoder7Ú assertTrueÚ checkPasswordr0Ú assertFalse)rrqrvr}ÚclientResponseÚcredsrrrÚ test_response.s û ÿzDigestAuthTests.test_responsecCrR)a L{DigestCredentialFactory.decode} accepts a digest challenge response which does not quote the values of its fields and parses it into an L{IUsernameHashedPassword} provider in the same way it would a response which included quoted field values. FN)rˆr rrrÚtest_responseWithoutQuotesCsz*DigestAuthTests.test_responseWithoutQuotescCsd|_| d¡dS)z¶ L{DigestCredentialFactory.decode} accepts a digest challenge response which quotes the values of its fields and includes a C{b","} in the URI field. s /some,path/TN)r5rˆr rrrÚtest_responseWithCommaURILsz)DigestAuthTests.test_responseWithCommaURIcCsd|_| ¡dS)zs The case of the algorithm value in the response is ignored when checking the credentials. sMD5N©r2rˆr rrrÚtest_caseInsensitiveAlgorithmUs z-DigestAuthTests.test_caseInsensitiveAlgorithmcCsd|_| ¡dS)zV The algorithm defaults to MD5 if it is not supplied in the response. Nr‹r rrrÚtest_md5DefaultAlgorithm]s z(DigestAuthTests.test_md5DefaultAlgorithmcCsp|j d¡}d}|j|d| ||¡||dd}|j ||jd¡}| | |j¡¡|  | |jd¡¡dS)z“ L{DigestCredentialFactory.decode} accepts a digest challenge response even if the client address it is passed is L{None}. Nr{r@r|©r@r]r}r|r~) r8r€rsrzr‚r7rƒr„r0r…©rrvr}r†r‡rrrÚtest_responseWithoutClientIPds  üz,DigestAuthTests.test_responseWithoutClientIPcCsÜ|j |jj¡}d}|j|d| ||¡||dd}|j ||j|jj¡}| |  |j ¡¡|  |  |j d¡¡d}|j|d| ||¡||dd}|j ||j|jj¡}| |  |j ¡¡|  |  |j d¡¡dS)zm L{DigestCredentialFactory.decode} handles multiple responses to a single challenge. r{r@r|rŽr~s00000002NrrrrrÚtest_multiResponsevs2 ü ÿ ü ÿz"DigestAuthTests.test_multiResponsecCsv|j |jj¡}d}|j|d| ||¡||dd}|j |d|jj¡}| | |j ¡¡| | |j d¡¡dS)a& L{DigestCredentialFactory.decode} returns an L{IUsernameHashedPassword} provider which rejects a correct password for the given user if the challenge response request is made using a different HTTP method than was used to request the initial challenge. r{r@r|rŽsPOSTr~N) r8r€r6rrsrzr‚r…r„r0rrrrÚtest_failsWithDifferentMethod™s ü ÿz-DigestAuthTests.test_failsWithDifferentMethodcCsl| t|jj|jdd|j|jj¡}| t |ƒd¡| t|jj|jdd|j|jj¡}| t |ƒd¡dS)zš L{DigestCredentialFactory.decode} raises L{LoginFailed} if the response has no username field or if the username field is empty. N)r/z$Invalid response, no username given.rh© Ú assertRaisesr r8r‚rsr7r6rr=Ústr©rÚerrrÚtest_noUsername¯s  û ûzDigestAuthTests.test_noUsernamecCs8| t|jj|jdd|j|jj¡}| t |ƒd¡dS)zo L{DigestCredentialFactory.decode} raises L{LoginFailed} if the response has no nonce. rY)r|z!Invalid response, no nonce given.Nr“r–rrrÚ test_noNonceÈs ûzDigestAuthTests.test_noNoncecCs4| t|jj| ¡|j|jj¡}| t |ƒd¡dS)zp L{DigestCredentialFactory.decode} raises L{LoginFailed} if the response has no opaque. z"Invalid response, no opaque given.Nr“r–rrrÚ test_noOpaqueÖsûzDigestAuthTests.test_noOpaquecCs¼|j |jj¡}d}|j|d| ||¡||dd}|j ||j|jj¡}| t t |ƒ¡|j d|j d|j }t|ƒ}| | t| ¡ƒ¡¡| d¡| | t| ¡ƒ¡¡dS)z¥ L{DigestCredentialFactory.decode} returns an L{IUsernameDigestHash} provider which can verify a hash of the form 'username:realm:password'. r{r@r|rŽr:r~N)r8r€r6rrsrzr‚r7rƒrrr/r1r0rÚ checkHashrr<Úupdater…)rrvr}r†r‡Ú cleartextÚhashrrrÚtest_checkHashäs" ü ÿ zDigestAuthTests.test_checkHashcCst|j|jƒ}| |jj¡}| t|jd|d|jj¡}|  t |ƒd¡dt dƒ}| t|j||d|jj¡}|  t |ƒd¡| t|jd|d|jj¡}|  t |ƒd¡dt d  |dt |jjƒdf¡ƒ}| t|j||d|jj¡}|  t |ƒd ¡d S) z L{DigestCredentialFactory.decode} raises L{LoginFailed} when the opaque value does not contain all the required parts. s badOpaquer@z&Invalid response, invalid opaque valuesfoo-snonce,clientiprhó,r*z,Invalid response, invalid opaque/time valuesN)rr2r1r€r6rr”r Ú _verifyOpaquer=r•rr;r )rr8rvÚexcÚ badOpaquerrrÚtest_invalidOpaqueþsPû ûûÿÿûz"DigestAuthTests.test_invalidOpaquecCs„t|j|jƒ}| |jj¡}| d|jj¡}| t|j ||d|jj¡}|  t |ƒd¡| t|j |d|jj¡}|  t |ƒd¡dS)z¨ L{DigestCredentialFactory.decode} raises L{LoginFailed} when the given nonce from the response does not match the nonce encoded in the opaque. s 1234567890r@z2Invalid response, incompatible opaque/nonce valuesrhN) rr2r1r€r6rÚ_generateOpaquer”r r¡r=r•)rr8rvÚbadNonceOpaquer¢rrrÚtest_incompatibleNonce1s*ÿûûz&DigestAuthTests.test_incompatibleNoncecCs`t|j|jƒ}| |jj¡}d}| |jj|¡| |d|¡}| t |j ||d|jj¡dS)z« L{DigestCredentialFactory.decode} raises L{LoginFailed} when the request comes from a client IP other than what is encoded in the opaque. z10.0.0.1r@N) rr2r1r€r6rÚassertNotEqualr¥r”r r¡)rr8rvÚ badAddressr¦rrrÚtest_incompatibleClientIPOsÿûz)DigestAuthTests.test_incompatibleClientIPcCsŠt|j|jƒ}| |jj¡}d |dt|jjƒdf¡}tt ||j ƒ  ¡ƒ}t |ƒ}d ||  d¡f¡}| t|j||d|jj¡dS)z¨ L{DigestCredentialFactory.decode} raises L{LoginFailed} when the given opaque is older than C{DigestCredentialFactory.CHALLENGE_LIFETIME_SECS} r r@s -137876876ó-ó N)rr2r1r€r6rr;r rrrr<rrr”r r¡)rr8rvÚkeyr<ÚekeyÚoldNonceOpaquerrrÚ test_oldNoncehsÿûzDigestAuthTests.test_oldNoncecCs~t|j|jƒ}| |jj¡}d |dt|jjƒdf¡}tt |dƒ  ¡ƒ}d |t |ƒf¡}|  t |j||d|jj¡dS)z~ L{DigestCredentialFactory.decode} raises L{LoginFailed} when the opaque checksum fails verification. r r@rsthis is not the right pkeyr«N)rr2r1r€r6rr;r rrr<rr”r r¡)rr8rvr­r<Ú badChecksumrrrÚtest_mismatchedOpaqueChecksum€sÿûz-DigestAuthTests.test_mismatchedOpaqueChecksumc Cs6d}|D]\}}}}|jttd|||dd|d qdS)z° L{calcHA1} raises L{TypeError} when any of the pszUsername, pszRealm, or pszPassword arguments are specified with the preHA1 keyword argument. ))suserórealmópasswordópreHA1)Nr³Nrµ)NNr´rµr+snoncescnonce)ÚpreHA1N)r”Ú TypeErrorr)rÚ argumentsÚ pszUsernameÚpszRealmÚ pszPasswordr¶rrrÚtest_incompatibleCalcHA1Options—s÷ÿz/DigestAuthTests.test_incompatibleCalcHA1OptionscCs|j dd¡}| d|¡dS)z L{DigestCredentialFactory._generateOpaque} returns a value without newlines, regardless of the length of the nonce. snlong nonce long nonce long nonce long nonce long nonce long nonce long nonce long nonce long nonce long nonce Nr¬)r8r¥Ú assertNotIn)rr|rrrÚtest_noNewlineOpaque°sz$DigestAuthTests.test_noNewlineOpaqueN)T)*r$r%r&r'r9rrDrGrJrOrQrSrUrVrXr^r_rardrerfrsrzrˆr‰rŠrŒrrr‘r’r˜r™ršrŸr¤r§rªr°r²r¼r¾rrrrr)8sN   ! (   #3 r))r'rÚbinasciirÚhashlibrrÚzope.interface.verifyrÚtwisted.cred.credentialsrrrr r Útwisted.cred.errorr Útwisted.internet.addressr Útwisted.python.compatr Útwisted.trial.unittestrrrr)rrrrÚs