def test_incorrect_nonce(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
b"r=foobar,s="+base64.b64encode(self.salt)+b",i=4096"),
("abort", None,
"failure", ("aborted", None))
]))
with self.assertRaisesRegexp(aiosasl.SASLFailure, "nonce") as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertIsNone(ctx.exception.opaque_error)
def test_rfc_with_downgrade_protection(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"y,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"success",
b"v="+base64.b64encode(self.server_signature))
]))
self.assertTrue(self._run(
smmock,
aiosasl.SCRAM(self._provide_credentials, after_scram_plus=True)
))
def test_high_iteration_count(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
self.server_first_message_5000),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof_5000),
"success",
b"v="+base64.b64encode(self.server_signature_5000))
]))
self.assertTrue(self._run(
smmock,
aiosasl.SCRAM(self._provide_credentials)
))
def test_reject_protocol_violation_2(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"success", None),
("abort", None,
"failure", ("aborted", None)),
]))
with self.assertRaisesRegexp(aiosasl.SASLFailure,
"protocol violation") as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertEqual(
None,
ctx.exception.opaque_error
)
def test_other_malformed_reply(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
b"i=sometext,s=ABC,r=Zm9vAAAAAAAAAAAAAAAA3rfcNHYJY1ZVvWVs7j"),
("abort", None,
"failure", ("aborted", None))
]))
with self.assertRaises(aiosasl.SASLFailure) as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertIn(
"malformed",
str(ctx.exception).lower()
)
def test_malformed_reply(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
b"s=hut,t=hefu,c=kup,d=onny"),
("abort", None,
"failure", ("aborted", None))
]))
with self.assertRaises(aiosasl.SASLFailure) as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertIn(
"malformed",
str(ctx.exception).lower()
)
def test_too_low_iteration_count(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
self.server_first_message.replace(b",i=4096", b",i=4095")),
("abort", None,
"failure", ("aborted", None)),
]))
with self.assertRaisesRegexp(
aiosasl.SASLFailure,
r"minimum iteration count for SCRAM-SHA-1 violated "
r"\(4095 is less than 4096\)") as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertEqual(
None,
ctx.exception.opaque_error
)
def test_promote_failure_to_authentication_failure(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"failure",
("credentials-expired", None))
]))
with self.assertRaises(aiosasl.AuthenticationFailure) as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertEqual(
"credentials-expired",
ctx.exception.opaque_error
)
def test_reject_protocol_violation_1(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"success",
None),
]))
with self.assertRaisesRegexp(aiosasl.SASLFailure,
"protocol violation") as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertEqual(
"malformed-request",
ctx.exception.opaque_error
)
def test_invalid_signature(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1",
b"n,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"success",
b"v="+base64.b64encode(b"fnord"))
]))
with self.assertRaises(aiosasl.SASLFailure) as ctx:
self._run(smmock, aiosasl.SCRAM(self._provide_credentials))
self.assertIsNone(ctx.exception.opaque_error)
self.assertIn(
"signature",
str(ctx.exception).lower()
)