def setUp(self):
"""
Setup router and router session factories.
"""
# create a router factory
self.router_factory = RouterFactory(u'mynode')
# start a realm
self.router_factory.start_realm(RouterRealm(None, {u'name': u'realm1'}))
# allow everything
default_permissions = {
u'uri': u'',
u'match': u'prefix',
u'allow': {
u'call': True,
u'register': True,
u'publish': True,
u'subscribe': True
}
}
self.router = self.router_factory.get(u'realm1')
self.router.add_role(RouterRoleStaticAuth(self.router, u'test_role', default_permissions=default_permissions))
self.router.add_role(RouterRoleStaticAuth(self.router, None, default_permissions=default_permissions))
# create a router session factory
self.session_factory = RouterSessionFactory(self.router_factory)
def setUp(self):
permissions = [{
u'uri': u'com..private',
u'match': 'wildcard',
u'allow': {
u'call': True,
u'register': False,
u'publish': False,
u'subscribe': False,
}
}, {
u'uri': u'com.something_specific.private',
u'match': 'exact',
u'allow': {
u'call': False,
u'register': True,
u'publish': False,
u'subscribe': False
}
}, {
u'uri': u'com.',
u'match': 'prefix',
u'allow': {
u'call': False,
u'register': False,
u'publish': True,
u'subscribe': False
}
}]
self.role = RouterRoleStaticAuth(None, u'testrole', permissions)
def test_ruleset_empty(self):
permissions = []
role = RouterRoleStaticAuth(None, "testrole", permissions)
actions = ['call', 'register', 'publish', 'subscribe']
uris = ['com.example.1', 'myuri', '']
for uri in uris:
for action in actions:
self.assertFalse(role.authorize(None, uri, action))
def test_ruleset_empty(self):
permissions = []
role = RouterRoleStaticAuth(None, "testrole", permissions)
actions = ['call', 'register', 'publish', 'subscribe']
uris = ['com.example.1', 'myuri', '']
for uri in uris:
for action in actions:
self.assertFalse(role.authorize(None, uri, action))
def test_ruleset_2(self):
permissions = [{u"uri": u"*", u"call": True, u"register": True, u"publish": True, u"subscribe": True}]
role = RouterRoleStaticAuth(None, u"testrole", permissions)
actions = [u"call", u"register", u"publish", u"subscribe"]
uris = [(u"com.example.1", True), (u"myuri", True), (u"", True)]
for uri, allow in uris:
for action in actions:
authorization = role.authorize(None, uri, action)
self.assertEqual(authorization[u"allow"], allow)
def test_ruleset_empty(self):
permissions = []
role = RouterRoleStaticAuth(None, u'testrole', permissions)
actions = [u'call', u'register', u'publish', u'subscribe']
uris = [u'com.example.1', u'myuri', u'']
for uri in uris:
for action in actions:
authorization = role.authorize(None, uri, action, {})
self.assertFalse(authorization[u'allow'])
def test_ruleset_empty(self):
permissions = []
role = RouterRoleStaticAuth(None, u'testrole', permissions)
actions = [u'call', u'register', u'publish', u'subscribe']
uris = [u'com.example.1', u'myuri', u'']
for uri in uris:
for action in actions:
authorization = role.authorize(None, uri, action, {})
self.assertFalse(authorization[u'allow'])
def test_ruleset_2(self):
permissions = [{'uri': '*', 'allow': {'call': True, 'register': True, 'publish': True, 'subscribe': True}}]
role = RouterRoleStaticAuth(None, 'testrole', permissions)
actions = ['call', 'register', 'publish', 'subscribe']
uris = [('com.example.1', True), ('myuri', True), ('', True)]
for uri, allow in uris:
for action in actions:
authorization = role.authorize(None, uri, action, {})
self.assertEqual(authorization['allow'], allow)
def test_ruleset_empty(self):
permissions = []
role = RouterRoleStaticAuth(None, u"testrole", permissions)
actions = [u"call", u"register", u"publish", u"subscribe"]
uris = [u"com.example.1", u"myuri", u""]
for uri in uris:
for action in actions:
authorization = role.authorize(None, uri, action)
self.assertFalse(authorization[u"allow"])
def test_ruleset_1(self):
permissions = [{
'uri': 'com.example.*',
'call': True,
'register': True,
'publish': True,
'subscribe': True
}]
role = RouterRoleStaticAuth(None, "testrole", permissions)
actions = ['call', 'register', 'publish', 'subscribe']
uris = [('com.example.1', True), ('myuri', False), ('', False)]
for uri, allow in uris:
for action in actions:
self.assertEqual(role.authorize(None, uri, action), allow)
def setUp(self):
permissions = [
{
u'uri': u'com..private',
u'match': 'wildcard',
u'allow': {
u'call': True,
u'register': False,
u'publish': False,
u'subscribe': False,
}
},
{
u'uri': u'com.something_specific.private',
u'match': 'exact',
u'allow': {
u'call': False,
u'register': True,
u'publish': False,
u'subscribe': False
}
},
{
u'uri': u'com.',
u'match': 'prefix',
u'allow': {
u'call': False,
u'register': False,
u'publish': True,
u'subscribe': False
}
}
]
self.role = RouterRoleStaticAuth(None, u'testrole', permissions)
def test_ruleset_2(self):
permissions = [
{
'uri': '*',
'call': True,
'register': True,
'publish': True,
'subscribe': True
}
]
role = RouterRoleStaticAuth(None, "testrole", permissions)
actions = ['call', 'register', 'publish', 'subscribe']
uris = [('com.example.1', True), ('myuri', True), ('', True)]
for uri, allow in uris:
for action in actions:
self.assertEqual(role.authorize(None, uri, action), allow)
def add_realm_to_router(router_factory, session_factory, realm_name=u'default',
realm_options={}):
opts = dict(realm_options)
opts.update({u'name': realm_name})
# start a realm
realm = RouterRealm(None, opts)
router = router_factory.start_realm(realm)
extra = {}
session_config = ComponentConfig(realm_name, extra)
realm.session = RouterServiceSession(session_config, router)
# allow everything
default_permissions = {
u'uri': u'',
u'match': u'prefix',
u'allow': {
u'call': True,
u'register': True,
u'publish': True,
u'subscribe': True
}
}
router = router_factory.get(realm_name)
router.add_role(RouterRoleStaticAuth(router, 'anonymous', default_permissions=default_permissions))
session_factory.add(realm.session, authrole=u'trusted')
return router
def add_role(self, realm: str, config: Dict[str, Any]) -> RouterRole:
"""
Add a role to a realm.
:param realm: The name of the realm to add the role to.
:param config: The role configuration.
:return: The new role object.
"""
self.log.info('{func}: realm="{realm}", config=\n{config}',
func=hltype(self.add_role),
realm=hlval(realm),
config=pformat(config))
if realm not in self._routers:
raise RuntimeError(
'no router started for realm "{}"'.format(realm))
router = self._routers[realm]
uri = config['name']
role: RouterRole
if 'permissions' in config:
role = RouterRoleStaticAuth(router, uri, config['permissions'])
elif 'authorizer' in config:
role = RouterRoleDynamicAuth(router, uri, config['authorizer'])
else:
allow_by_default = config.get('allow-by-default', False)
role = RouterRole(router, uri, allow_by_default=allow_by_default)
router.add_role(role)
return role
def setUp(self):
# create a router factory
self.router_factory = RouterFactory(None, None)
# start a realm
self.realm = RouterRealm(None, {u'name': u'realm1'})
self.router_factory.start_realm(self.realm)
# allow everything
self.router = self.router_factory.get(u'realm1')
self.router.add_role(
RouterRoleStaticAuth(self.router,
u'test_role',
default_permissions={
u'uri': u'com.myapp.',
u'match': u'prefix',
u'allow': {
u'call': True,
u'register': True,
u'publish': True,
u'subscribe': True,
}
}))
# create a router session factory
self.session_factory = RouterSessionFactory(self.router_factory)
def setUp(self):
"""
Setup router and router session factories.
"""
# create a router factory
self.router_factory = RouterFactory('node1', 'router1', None)
# start a realm
self.realm = RouterRealm(None, None, {'name': 'realm1'})
self.router_factory.start_realm(self.realm)
# allow everything
self.router = self.router_factory.get('realm1')
self.router.add_role(
RouterRoleStaticAuth(self.router,
'test_role',
default_permissions={
'uri': 'com.example.',
'match': 'prefix',
'allow': {
'call': True,
'register': True,
'publish': True,
'subscribe': True,
}
}))
# create a router session factory
self.session_factory = RouterSessionFactory(self.router_factory)
def test_ruleset_1(self):
permissions = [{
u'uri': u'com.example.*',
u'allow': {
u'call': True,
u'register': True,
u'publish': True,
u'subscribe': True
}
}]
role = RouterRoleStaticAuth(None, u'testrole', permissions)
actions = [u'call', u'register', u'publish', u'subscribe']
uris = [(u'com.example.1', True), (u'myuri', False), (u'', False)]
for uri, allow in uris:
for action in actions:
authorization = role.authorize(None, uri, action, {})
self.assertEqual(authorization[u'allow'], allow)
def test_ruleset_2(self):
permissions = [
{
u'uri': u'*',
u'allow': {
u'call': True,
u'register': True,
u'publish': True,
u'subscribe': True
}
}
]
role = RouterRoleStaticAuth(None, u'testrole', permissions)
actions = [u'call', u'register', u'publish', u'subscribe']
uris = [(u'com.example.1', True), (u'myuri', True), (u'', True)]
for uri, allow in uris:
for action in actions:
authorization = role.authorize(None, uri, action, {})
self.assertEqual(authorization[u'allow'], allow)
class TestRouterRoleStaticAuthWild(unittest.TestCase):
def setUp(self):
permissions = [{
'uri': 'com..private',
'match': 'wildcard',
'allow': {
'call': True,
'register': False,
'publish': False,
'subscribe': False,
}
}, {
'uri': 'com.something_specific.private',
'match': 'exact',
'allow': {
'call': False,
'register': True,
'publish': False,
'subscribe': False
}
}, {
'uri': 'com.',
'match': 'prefix',
'allow': {
'call': False,
'register': False,
'publish': True,
'subscribe': False
}
}]
self.role = RouterRoleStaticAuth(None, 'testrole', permissions)
def test_exact_before_wildcard(self):
# exact matches should always be preferred over wildcards
self.assertEqual(False, self.role.authorize(None, 'com.something_specific.private', 'call', {})['allow'])
self.assertEqual(True, self.role.authorize(None, 'com.something_specific.private', 'register', {})['allow'])
def test_wildcard_before_prefix(self):
# wildcards should be preferred over prefix
self.assertEqual(True, self.role.authorize(None, 'com.foo.private', 'call', {})['allow'])
self.assertEqual(False, self.role.authorize(None, 'com.foo.private', 'register', {})['allow'])
self.assertEqual(False, self.role.authorize(None, 'com.foo.private', 'publish', {})['allow'])
def test_prefix(self):
# wildcards should be preferred over prefix
self.assertEqual(False, self.role.authorize(None, 'com.whatever', 'call', {})['allow'])
self.assertEqual(False, self.role.authorize(None, 'com.whatever', 'register', {})['allow'])
self.assertEqual(True, self.role.authorize(None, 'com.whatever', 'publish', {})['allow'])
def test_start_router_component(self):
"""
Starting a class-based router component works.
"""
r = router.RouterController(config=self.config, reactor=reactor)
# Open the transport
transport = FakeWAMPTransport(r)
r.onOpen(transport)
realm_config = {
u"name":
u"realm1",
u'roles': [{
u'name':
u'anonymous',
u'permissions': [{
u'subscribe': True,
u'register': True,
u'call': True,
u'uri': u'*',
u'publish': True
}]
}]
}
r.start_router_realm(u"realm1", realm_config)
permissions = RouterPermissions(u'', True, True, True, True, True)
routera = r._router_factory.get(u'realm1')
routera.add_role(
RouterRoleStaticAuth(router,
'anonymous',
default_permissions=permissions))
component_config = {
u"type": u"class",
u"classname":
u"crossbar.worker.test.examples.goodclass.AppSession",
u"realm": u"realm1"
}
r.start_router_component("newcomponent", component_config)
self.assertEqual(len(r.get_router_components()), 1)
self.assertEqual(r.get_router_components()[0]["id"], "newcomponent")
self.assertEqual(len(_), 1)
_.pop() # clear this global state
def add_role(self, realm, config):
self.log.debug("CrossbarRouterFactory.add_role(realm = {realm}, config = {config})",
realm=realm, config=config)
assert(realm in self._routers)
router = self._routers[realm]
uri = config['name']
if 'permissions' in config:
role = RouterRoleStaticAuth(router, uri, config['permissions'])
elif 'authorizer' in config:
role = RouterRoleDynamicAuth(router, uri, config['authorizer'])
else:
role = RouterRole(router, uri)
router.add_role(role)
def setUp(self):
"""
Setup router and router session factories.
"""
# create a router factory
self.router_factory = RouterFactory()
# start a realm
self.router_factory.start_realm(RouterRealm(None, {u'name': u'realm1'}))
# allow everything
permissions = RouterPermissions('', True, True, True, True, True)
router = self.router_factory.get(u'realm1')
router.add_role(RouterRoleStaticAuth(router, None, default_permissions=permissions))
# create a router session factory
self.session_factory = RouterSessionFactory(self.router_factory)
def add_role(self, realm, config):
self.log.debug("CrossbarRouterFactory.add_role(realm = {realm}, config = {config})",
realm=realm, config=config)
assert(type(realm) == six.text_type)
assert(realm in self._routers)
router = self._routers[realm]
uri = config[u'name']
if u'permissions' in config:
role = RouterRoleStaticAuth(router, uri, config[u'permissions'])
elif u'authorizer' in config:
role = RouterRoleDynamicAuth(router, uri, config[u'authorizer'])
else:
allow_by_default = config.get(u'allow-by-default', False)
role = RouterRole(router, uri, allow_by_default=allow_by_default)
router.add_role(role)
def build_mqtt_server():
reactor = Clock()
router_factory, server_factory, session_factory = make_router()
add_realm_to_router(router_factory, session_factory)
router = add_realm_to_router(router_factory,
session_factory,
realm_name=u'mqtt',
realm_options={})
# allow everything
default_permissions = {
u'uri': u'',
u'match': u'prefix',
u'allow': {
u'call': True,
u'register': True,
u'publish': True,
u'subscribe': True
}
}
router.add_role(RouterRoleStaticAuth(router, u'mqttrole', default_permissions=default_permissions))
class AuthenticatorSession(ApplicationSession):
@inlineCallbacks
def onJoin(self, details):
def authenticate(realm, authid, details):
if authid == u"test123":
if details["ticket"] != u'password':
raise ApplicationError(u'com.example.invalid_ticket', u'nope')
res = {
u'realm': u'mqtt',
u'role': u'mqttrole',
u'extra': {}
}
return res
else:
raise ApplicationError(u'com.example.no_such_user', u'nah')
yield self.register(authenticate, u'com.example.auth')
def tls(realm, authid, details):
ACCEPTED_CERTS = set([u'95:1C:A9:6B:CD:8D:D2:BD:F4:73:82:01:55:89:41:12:9C:F8:AF:8E'])
if 'client_cert' not in details['transport'] or not details['transport']['client_cert']:
raise ApplicationError(u"com.example.no_cert", u"no client certificate presented")
client_cert = details['transport']['client_cert']
sha1 = client_cert['sha1']
subject_cn = client_cert['subject']['cn']
if sha1 not in ACCEPTED_CERTS:
raise ApplicationError(u"com.example.invalid_cert", u"certificate with SHA1 {} denied".format(sha1))
else:
return {
u'authid': subject_cn,
u'role': u'mqttrole',
u'realm': u'mqtt'
}
yield self.register(tls, u'com.example.tls')
config = ComponentConfig(u"default", {})
authsession = AuthenticatorSession(config)
session_factory.add(authsession, router, authrole=u"trusted")
options = {
u"options": {
u"realm": u"mqtt",
u"role": u"mqttrole",
u"payload_mapping": {
u"": {
u"type": u"native",
u"serializer": u"json"
}
},
u"auth": {
u"ticket": {
u"type": u"dynamic",
u"authenticator": u"com.example.auth",
u"authenticator-realm": u"default",
},
u"tls": {
u"type": u"dynamic",
u"authenticator": u"com.example.tls",
u"authenticator-realm": u"default",
}
}
}
}
mqtt_factory = WampMQTTServerFactory(session_factory, options, reactor)
server_factory._mqtt_factory = mqtt_factory
return reactor, router, server_factory, session_factory
class TestRouterRoleStaticAuthWild(unittest.TestCase):
def setUp(self):
permissions = [
{
u'uri': u'com..private',
u'match': 'wildcard',
u'allow': {
u'call': True,
u'register': False,
u'publish': False,
u'subscribe': False,
}
},
{
u'uri': u'com.something_specific.private',
u'match': 'exact',
u'allow': {
u'call': False,
u'register': True,
u'publish': False,
u'subscribe': False
}
},
{
u'uri': u'com.',
u'match': 'prefix',
u'allow': {
u'call': False,
u'register': False,
u'publish': True,
u'subscribe': False
}
}
]
self.role = RouterRoleStaticAuth(None, u'testrole', permissions)
def test_exact_before_wildcard(self):
# exact matches should always be preferred over wildcards
self.assertEqual(
False,
self.role.authorize(None, u'com.something_specific.private', 'call', {})[u'allow']
)
self.assertEqual(
True,
self.role.authorize(None, u'com.something_specific.private', 'register', {})[u'allow']
)
def test_wildcard_before_prefix(self):
# wildcards should be preferred over prefix
self.assertEqual(
True,
self.role.authorize(None, u'com.foo.private', 'call', {})[u'allow']
)
self.assertEqual(
False,
self.role.authorize(None, u'com.foo.private', 'register', {})[u'allow']
)
self.assertEqual(
False,
self.role.authorize(None, u'com.foo.private', 'publish', {})[u'allow']
)
def test_prefix(self):
# wildcards should be preferred over prefix
self.assertEqual(
False,
self.role.authorize(None, u'com.whatever', 'call', {})[u'allow']
)
self.assertEqual(
False,
self.role.authorize(None, u'com.whatever', 'register', {})[u'allow']
)
self.assertEqual(
True,
self.role.authorize(None, u'com.whatever', 'publish', {})[u'allow']
)
