def test_gssapi_step(self):
class MockSecContext(object):
def __init__(self):
self.complete = False
self._first = True
def step(self, in_token=None):
if self._first:
self._first = False
return b"token"
else:
self.complete = True
return in_token
context = GSSAPIContext(None, None, "auto", None, "hostname", "http",
True, True)
context._context = MockSecContext()
assert context.complete is False
gen = context.step()
actual = next(gen)
assert actual == b"token"
assert context.complete is False
actual2 = gen.send(b"new token")
assert actual2 == b"new token"
assert context.complete
def test_gssapi_unwrap(self):
context = GSSAPIContext(None, None, "auto", None, "hostname", "http",
True, True)
context._context = MagicMock()
context.unwrap(b"header", b"data")
method_calls = context._context.method_calls
assert len(method_calls) == 1
assert method_calls[0][0] == "unwrap"
assert method_calls[0][1] == (b"headerdata", )
assert method_calls[0][2] == {}
def test_gssapi_get_sec_context_kerb_fail_with_pass(self, monkeypatch):
gss = pytest.importorskip("gssapi")
mock_cred = MagicMock(side_effect=gss.exceptions.GSSError(458752, 0))
mock_acquire_cred = MagicMock()
mock_context = MagicMock()
monkeypatch.setattr(gss, 'Credentials', mock_cred)
monkeypatch.setattr(gss.raw, 'acquire_cred_with_password',
mock_acquire_cred)
monkeypatch.setattr(gss, 'SecurityContext', mock_context)
name_type = gss.NameType.kerberos_principal
mech = gss.OID.from_int_seq(GSSAPIContext._AUTH_PROVIDERS['kerberos'])
spn = "http@hostname"
username = "******"
password = "******"
delegate = True
wrap_required = False
cbt = None
GSSAPIContext._get_security_context(name_type, mech, spn, username,
password, delegate, wrap_required,
cbt)
assert mock_cred.call_count == 1
assert mock_cred.call_args[0] == ()
assert mock_cred.call_args[1]['name'] == \
gss.Name(base=username, name_type=name_type)
assert mock_cred.call_args[1]['usage'] == 'initiate'
assert mock_cred.call_args[1]['mechs'] == [mech]
assert mock_acquire_cred.call_count == 1
assert mock_acquire_cred.call_args[0] == \
(gss.Name(base=username, name_type=name_type), b"password")
assert mock_acquire_cred.call_args[1]['usage'] == 'initiate'
assert mock_acquire_cred.call_args[1]['mechs'] == [mech]
assert mock_context.call_count == 1
assert mock_context.call_args[0] == ()
assert mock_context.call_args[1]['name'] == \
gss.Name(spn, name_type=gss.NameType.hostbased_service)
assert isinstance(mock_context.call_args[1]['creds'], MagicMock)
assert mock_context.call_args[1]['usage'] == "initiate"
assert mock_context.call_args[1]['mech'] == mech
assert mock_context.call_args[1]['flags'] == \
gss.RequirementFlag.mutual_authentication | \
gss.RequirementFlag.out_of_sequence_detection | \
gss.RequirementFlag.delegate_to_peer
assert mock_context.call_args[1]['channel_bindings'] == cbt
def test_gssapi_get_sec_context_auto_implicit(self):
gss = pytest.importorskip("gssapi")
name_type = gss.NameType.user
mech = gss.OID.from_int_seq(GSSAPIContext._AUTH_PROVIDERS['auto'])
spn = "http@hostname"
username = None
password = None
delegate = False
wrap_required = False
cbt = None
with pytest.raises(ValueError) as err:
GSSAPIContext._get_security_context(name_type, mech, spn, username,
password, delegate,
wrap_required, cbt)
assert str(err.value) == "Can only use implicit credentials with " \
"kerberos authentication"
def test_gssapi_init_context_ntlm(self, monkeypatch):
gss = pytest.importorskip("gssapi")
mock_con = MagicMock()
monkeypatch.setattr(GSSAPIContext, "_get_security_context", mock_con)
context = GSSAPIContext("user", "pass", "ntlm", None, "hostname",
"http", True, True)
context.init_context()
name, mech, spn, user, password, delegate, wrap, cbt = \
mock_con.call_args[0]
assert name == gss.NameType.user
assert mech == \
gss.OID.from_int_seq(GSSAPIContext._AUTH_PROVIDERS['ntlm'])
assert spn == "http@hostname"
assert user == "user"
assert password == "pass"
assert delegate is True
assert wrap is True
assert cbt is None
def test_gssapi_get_sec_context_kerb_fail_no_pass(self, monkeypatch):
gss = pytest.importorskip("gssapi")
mock_cred = MagicMock(side_effect=gss.exceptions.GSSError(458752, 0))
monkeypatch.setattr(gss, 'Credentials', mock_cred)
name_type = gss.NameType.kerberos_principal
mech = gss.OID.from_int_seq(GSSAPIContext._AUTH_PROVIDERS['kerberos'])
spn = "*****@*****.**"
username = None
password = None
delegate = False
wrap_required = False
cbt = None
with pytest.raises(gss.exceptions.GSSError) as err:
GSSAPIContext._get_security_context(name_type, mech, spn, username,
password, delegate,
wrap_required, cbt)
assert err.value.maj_code == 458752
assert err.value.min_code == 0
def test_gssapi_init_context_with_cbt(self, monkeypatch):
gss = pytest.importorskip("gssapi")
mock_con = MagicMock()
monkeypatch.setattr(GSSAPIContext, "_get_security_context", mock_con)
context = GSSAPIContext("user", "pass", "auto", b"cbt", "hostname",
"http", True, True)
context.init_context()
name, mech, spn, user, password, delegate, wrap, cbt = \
mock_con.call_args[0]
assert name == gss.NameType.user
assert mech == \
gss.OID.from_int_seq(GSSAPIContext._AUTH_PROVIDERS['auto'])
assert spn == "http@hostname"
assert user == "user"
assert password == "pass"
assert delegate is True
assert wrap is True
assert isinstance(cbt, gss.raw.ChannelBindings)
assert cbt.application_data == b"cbt"
def test_gssapi_properties(self):
actual = GSSAPIContext(None, None, "auto", None, "hostname", "http",
True, True)
assert actual.username is None
assert actual.domain == ""
assert actual._target_spn == "http@hostname"