def test_passing_filelike_as_request_object(self):
req = StringIO.StringIO(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
req = StringIO.StringIO(TEST_REQ)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
req = StringIO.StringIO(TEST_REQ_SIGNED)
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_filelike_as_request_object(self):
req = StringIO.StringIO(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
req = StringIO.StringIO(TEST_REQ)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
req = StringIO.StringIO(TEST_REQ_SIGNED)
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_requests_request_as_request_object(self):
req = requests.Request(
url="http://example.com/resource/1",
method="POST",
params=[("b", "1"), ("a", "2")],
data="hello world",
)
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_requests_request_as_request_object(self):
req = requests.Request(
url="http://example.com/resource/1",
method="POST",
params=[("b", "1"), ("a", "2")],
data="hello world",
)
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def test_check_signature_fails_with_reused_nonce(self):
# First request with that nonce should succeed.
req = Request.blank("/")
req.authorization = ("MAC", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertTrue(check_signature(req, "mykey"))
# Second request with that nonce should fail.
req = Request.blank("/")
req.authorization = ("MAC", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
# But it will succeed if using a different nonce cache.
self.assertTrue(check_signature(req, "mykey", nonces=NonceCache()))
def test_check_signature_fails_with_far_future_timestamp(self):
req = Request.blank("/")
# Do an initial request so that the server can
# calculate and cache our clock skew.
ts = str(int(time.time()))
req.authorization = ("MAC", {"ts": ts})
sign_request(req, "myid", "mykey")
self.assertTrue(check_signature(req, "mykey"))
# Now do one with a far future timestamp.
ts = str(int(time.time() + 1000))
req.authorization = ("MAC", {"ts": ts})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
def test_check_signature_fails_with_far_future_timestamp(self):
req = Request.blank("/")
# Do an initial request so that the server can
# calculate and cache our clock skew.
ts = str(int(time.time()))
req.authorization = ("MAC", {"ts": ts})
sign_request(req, "myid", "mykey")
self.assertTrue(check_signature(req, "mykey"))
# Now do one with a far future timestamp.
ts = str(int(time.time() + 1000))
req.authorization = ("MAC", {"ts": ts})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
def test_check_signature_fails_with_reused_nonce(self):
# First request with that nonce should succeed.
req = Request.blank("/")
req.authorization = ("MAC", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertTrue(check_signature(req, "mykey"))
# Second request with that nonce should fail.
req = Request.blank("/")
req.authorization = ("MAC", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
# But it will succeed if using a different nonce cache.
self.assertTrue(check_signature(req, "mykey", nonces=NonceCache()))
def test_passing_environ_dict_as_request_object(self):
req = {
"wsgi.url_scheme": "http",
"REQUEST_METHOD": "POST",
"HTTP_HOST": "example.com",
"HTTP_CONTENT_LENGTH": "11",
"PATH_INFO": "/resource/1",
"QUERY_STRING": "b=1&a=2",
"wsgi.input": StringIO.StringIO("hello world")
}
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_environ_dict_as_request_object(self):
req = {
"wsgi.url_scheme": "http",
"REQUEST_METHOD": "POST",
"HTTP_HOST": "example.com",
"HTTP_CONTENT_LENGTH": "11",
"PATH_INFO": "/resource/1",
"QUERY_STRING": "b=1&a=2",
"wsgi.input": StringIO.StringIO("hello world")
}
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def _check_signature(self, request, key):
"""Check the MACAuth signaure on the request.
This method checks the MAC signature on the request against the
supplied signing key. If missing or invalid then HTTPUnauthorized
is raised.
"""
# See if we've already checked the signature on this request.
# This is important because pyramid doesn't cache the results
# of authenticating the request, but we mark the nonce as stale
# after the first check.
if request.environ.get("macauth.signature_is_valid", False):
return True
# Grab the (hopefully cached) params from the request.
params = self._get_params(request)
if params is None:
msg = "missing MAC signature"
raise self.challenge(request, msg)
# Validate the signature with the given key.
sig_valid = macauthlib.check_signature(request, key, params=params,
nonces=self.nonce_cache)
if not sig_valid:
msg = "invalid MAC signature"
raise self.challenge(request, msg)
# Mark this request as having a valid signature.
request.environ["macauth.signature_is_valid"] = True
return True
def _check_signature(self, request, key):
"""Check the MACAuth signaure on the request.
This method checks the MAC signature on the request against the
supplied signing key. If missing or invalid then HTTPUnauthorized
is raised.
"""
# See if we've already checked the signature on this request.
# This is important because pyramid doesn't cache the results
# of authenticating the request, but we mark the nonce as stale
# after the first check.
if request.environ.get("macauth.signature_is_valid", False):
return True
# Grab the (hopefully cached) params from the request.
params = self._get_params(request)
if params is None:
msg = "missing MAC signature"
raise self.challenge(request, msg)
# Validate the signature with the given key.
sig_valid = macauthlib.check_signature(request, key, params=params,
nonces=self.nonce_cache)
if not sig_valid:
msg = "invalid MAC signature"
raise self.challenge(request, msg)
# Mark this request as having a valid signature.
request.environ["macauth.signature_is_valid"] = True
return True
def test_check_signature_fails_with_busted_signature(self):
req = Request.blank("/")
sign_request(req, "myid", "mykey")
signature = parse_authz_header(req)["mac"]
authz = req.environ["HTTP_AUTHORIZATION"]
authz = authz.replace(signature, "XXX" + signature)
req.environ["HTTP_AUTHORIZATION"] = authz
self.assertFalse(check_signature(req, "mykey"))
def test_check_signature_fails_with_busted_signature(self):
req = Request.blank("/")
sign_request(req, "myid", "mykey")
signature = parse_authz_header(req)["mac"]
authz = req.environ["HTTP_AUTHORIZATION"]
authz = authz.replace(signature, "XXX" + signature)
req.environ["HTTP_AUTHORIZATION"] = authz
self.assertFalse(check_signature(req, "mykey"))
def test_passing_webob_request_as_request_object(self):
req = webob.Request.from_bytes(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def test_check_signature_errors_when_missing_id(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("MAC", {"ts": "1", "nonce": "2"})
self.assertFalse(check_signature(req, "secretkeyohsecretkey"))
def pre_request_hook(req):
sign_request(req, TEST_ID, TEST_KEY)
assert check_signature(req, TEST_KEY, nonces=False)
raise RuntimeError("aborting the request")
def _check_signature(self, request, secret, params=None):
"""Check the request signature, using our local nonce cache."""
return macauthlib.check_signature(request, secret, params=params,
nonces=self.nonce_cache)
def test_check_signature_fails_with_non_mac_scheme(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
sign_request(req, "myid", "mykey")
req.authorization = ("OAuth", req.authorization[1])
self.assertFalse(check_signature(req, "mykey"))
def test_check_signature_fails_with_non_mac_scheme(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
sign_request(req, "myid", "mykey")
req.authorization = ("OAuth", req.authorization[1])
self.assertFalse(check_signature(req, "mykey"))
def __call__(self, req):
sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert check_signature(req, TEST_KEY, nonces=False)
assert TEST_SIG in req.headers['Authorization']
raise RuntimeError("aborting the request")
def test_passing_bytestring_as_request_object(self):
assert not check_signature(TEST_REQ, TEST_KEY, nonces=False)
authz = sign_request(TEST_REQ, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(TEST_REQ_SIGNED, TEST_KEY, nonces=False)
def test_passing_bytestring_as_request_object(self):
assert not check_signature(TEST_REQ, TEST_KEY, nonces=False)
authz = sign_request(TEST_REQ, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(TEST_REQ_SIGNED, TEST_KEY, nonces=False)
def test_check_signature_errors_when_missing_id(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("MAC", {"ts": "1", "nonce": "2"})
self.assertFalse(check_signature(req, "secretkeyohsecretkey"))
def test_passing_webob_request_as_request_object(self):
req = webob.Request.from_bytes(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def pre_request_hook(req):
sign_request(req, TEST_ID, TEST_KEY)
assert check_signature(req, TEST_KEY, nonces=False)
raise RuntimeError("aborting the request")
