def test_login_gssapi_principal_needs_keytab(requests_session):
    """Login with gssapi method raises if principal is provided without keytab."""
    hub_url = "https://hub.example.com/myapp/endpoint"

    conf = PyConfigParser()
    conf.load_from_dict(
        {
            "HUB_URL": hub_url,
            "AUTH_METHOD": "gssapi",
            "KRB_PRINCIPAL": "*****@*****.**",
        }
    )

    transport = FakeTransport()
    logger = mock.Mock()
    proxy = HubProxy(conf, transport=transport, logger=logger)

    proxy._login(force=True)

    # This is pretty dumb: login() swallows all exceptions (probably for no good reason).
    # The only hint there was a problem is a DEBUG log message, so we detect the error
    # that way.
    logger.debug.assert_called_with(
        "Failed to create new session: Cannot specify a principal without a keytab"
    )
Beispiel #2
0
def test_no_auto_logout(requests_session):
    """auto_logout argument warns of deprecation"""
    conf = PyConfigParser()
    conf.load_from_dict({"HUB_URL": 'https://example.com/hub'})

    transport = FakeTransport()
    with pytest.deprecated_call():
        HubProxy(conf, transport=transport, auto_logout=True)
Beispiel #3
0
def test_login_gssapi_krb_opts(requests_session):
    """Login with gssapi method prepares auth using correct gssapi parameters
    according to config."""

    hub_url = "https://hub.example.com/myapp/endpoint"
    login_url = "https://hub.example.com/myapp/auth/krb5login/"

    conf = PyConfigParser()
    conf.load_from_dict({
        "HUB_URL": hub_url,
        "AUTH_METHOD": "gssapi",
        "CA_CERT": "/some/ca-bundle.pem",
        "KRB_PRINCIPAL": "*****@*****.**",
        "KRB_SERVICE": "SVC",
        "KRB_REALM": "REALM.EXAMPLE.COM",
        "KRB_KEYTAB": "some-keytab",
        "KRB_CCACHE": "some-cache",
    })

    transport = FakeTransport()
    proxy = HubProxy(conf, transport=transport)

    mock_get = requests_session.return_value.get
    calls_before = len(mock_get.mock_calls)

    with mock.patch("requests_gssapi.HTTPSPNEGOAuth") as mock_auth:
        with mock.patch("gssapi.Credentials") as mock_creds:
            # Force a login
            proxy._login(force=True)

    get_call = mock_get.mock_calls[calls_before]

    # It should have prepared credentials with the details from config
    mock_creds.assert_called_once_with(
        name=gssapi.Name("*****@*****.**",
                         gssapi.NameType.kerberos_principal),
        store={
            "client_keytab": "some-keytab",
            "ccache": "FILE:some-cache"
        },
        usage="initiate",
    )

    # It should have prepared auth with those credentials and our configured
    # server principal
    mock_auth.assert_called_once_with(
        creds=mock_creds.return_value,
        target_name=gssapi.Name("SVC/[email protected]",
                                gssapi.NameType.kerberos_principal),
    )

    # It should have used the configured CA bundle when issuing the request
    assert get_call[2]["verify"] == "/some/ca-bundle.pem"
Beispiel #4
0
def test_proxies_to_xmlrpc(requests_session):
    """HubProxy proxies to underlying XML-RPC ServerProxy"""
    conf = PyConfigParser()
    conf.load_from_dict({"HUB_URL": 'https://example.com/hub'})

    transport = FakeTransport()
    proxy = HubProxy(conf, transport=transport)

    proxy.some_obj.some_method()

    # Last call should have invoked the method I requested
    (_, request_xml) = transport.fake_transport_calls[-1]
    assert b'some_obj.some_method' in request_xml
Beispiel #5
0
def test_login_gssapi(requests_session):
    """Login with gssapi method obtains session cookie via SPNEGO & krb5login."""

    hub_url = "https://example.com/myapp/endpoint"
    login_url = "https://example.com/myapp/auth/krb5login/"

    conf = PyConfigParser()
    conf.load_from_dict({
        "HUB_URL": hub_url,
        "AUTH_METHOD": "gssapi",
    })

    transport = FakeTransport()
    proxy = HubProxy(conf, transport=transport)

    # Proxy might have already done some calls during initialization.
    # We're trying to test login in isolation, so keep track of how many
    # mock calls there have been already.
    mock_get = requests_session.return_value.get
    calls_before = len(mock_get.mock_calls)

    # Force a login
    proxy._login(force=True)

    # Cookies should have been shared between session and transport
    assert requests_session.return_value.cookies is transport.cookiejar

    # Check the requests done
    calls = mock_get.mock_calls[calls_before:]

    assert calls[0][0] == ""
    call_args = calls[0][1]
    call_kwargs = calls[0][2]

    # It should have made a request to log in
    assert call_args == (login_url, )

    # It should have enabled SPNEGO auth.
    # More details about this object are verified in a separate test.
    assert "HTTPSPNEGOAuth" in str(type(call_kwargs["auth"]))

    # It should have verified the result
    assert calls[1][0] == "().raise_for_status"

    # And that's all
    assert len(calls) == 2