def setUp(self):
        """
        Setup router and router session factories.
        """

        # create a router factory
        self.router_factory = RouterFactory(u'mynode')

        # start a realm
        self.router_factory.start_realm(RouterRealm(None, {u'name': u'realm1'}))

        # allow everything
        default_permissions = {
            u'uri': u'',
            u'match': u'prefix',
            u'allow': {
                u'call': True,
                u'register': True,
                u'publish': True,
                u'subscribe': True
            }
        }
        self.router = self.router_factory.get(u'realm1')
        self.router.add_role(RouterRoleStaticAuth(self.router, u'test_role', default_permissions=default_permissions))
        self.router.add_role(RouterRoleStaticAuth(self.router, None, default_permissions=default_permissions))

        # create a router session factory
        self.session_factory = RouterSessionFactory(self.router_factory)
Ejemplo n.º 2
0
 def setUp(self):
     permissions = [{
         u'uri': u'com..private',
         u'match': 'wildcard',
         u'allow': {
             u'call': True,
             u'register': False,
             u'publish': False,
             u'subscribe': False,
         }
     }, {
         u'uri': u'com.something_specific.private',
         u'match': 'exact',
         u'allow': {
             u'call': False,
             u'register': True,
             u'publish': False,
             u'subscribe': False
         }
     }, {
         u'uri': u'com.',
         u'match': 'prefix',
         u'allow': {
             u'call': False,
             u'register': False,
             u'publish': True,
             u'subscribe': False
         }
     }]
     self.role = RouterRoleStaticAuth(None, u'testrole', permissions)
Ejemplo n.º 3
0
 def test_ruleset_empty(self):
     permissions = []
     role = RouterRoleStaticAuth(None, "testrole", permissions)
     actions = ['call', 'register', 'publish', 'subscribe']
     uris = ['com.example.1', 'myuri', '']
     for uri in uris:
         for action in actions:
             self.assertFalse(role.authorize(None, uri, action))
Ejemplo n.º 4
0
 def test_ruleset_empty(self):
     permissions = []
     role = RouterRoleStaticAuth(None, "testrole", permissions)
     actions = ['call', 'register', 'publish', 'subscribe']
     uris = ['com.example.1', 'myuri', '']
     for uri in uris:
         for action in actions:
             self.assertFalse(role.authorize(None, uri, action))
Ejemplo n.º 5
0
 def test_ruleset_2(self):
     permissions = [{u"uri": u"*", u"call": True, u"register": True, u"publish": True, u"subscribe": True}]
     role = RouterRoleStaticAuth(None, u"testrole", permissions)
     actions = [u"call", u"register", u"publish", u"subscribe"]
     uris = [(u"com.example.1", True), (u"myuri", True), (u"", True)]
     for uri, allow in uris:
         for action in actions:
             authorization = role.authorize(None, uri, action)
             self.assertEqual(authorization[u"allow"], allow)
Ejemplo n.º 6
0
 def test_ruleset_empty(self):
     permissions = []
     role = RouterRoleStaticAuth(None, u'testrole', permissions)
     actions = [u'call', u'register', u'publish', u'subscribe']
     uris = [u'com.example.1', u'myuri', u'']
     for uri in uris:
         for action in actions:
             authorization = role.authorize(None, uri, action, {})
             self.assertFalse(authorization[u'allow'])
Ejemplo n.º 7
0
 def test_ruleset_empty(self):
     permissions = []
     role = RouterRoleStaticAuth(None, u'testrole', permissions)
     actions = [u'call', u'register', u'publish', u'subscribe']
     uris = [u'com.example.1', u'myuri', u'']
     for uri in uris:
         for action in actions:
             authorization = role.authorize(None, uri, action, {})
             self.assertFalse(authorization[u'allow'])
Ejemplo n.º 8
0
 def test_ruleset_2(self):
     permissions = [{'uri': '*', 'allow': {'call': True, 'register': True, 'publish': True, 'subscribe': True}}]
     role = RouterRoleStaticAuth(None, 'testrole', permissions)
     actions = ['call', 'register', 'publish', 'subscribe']
     uris = [('com.example.1', True), ('myuri', True), ('', True)]
     for uri, allow in uris:
         for action in actions:
             authorization = role.authorize(None, uri, action, {})
             self.assertEqual(authorization['allow'], allow)
Ejemplo n.º 9
0
 def test_ruleset_empty(self):
     permissions = []
     role = RouterRoleStaticAuth(None, u"testrole", permissions)
     actions = [u"call", u"register", u"publish", u"subscribe"]
     uris = [u"com.example.1", u"myuri", u""]
     for uri in uris:
         for action in actions:
             authorization = role.authorize(None, uri, action)
             self.assertFalse(authorization[u"allow"])
Ejemplo n.º 10
0
 def test_ruleset_1(self):
     permissions = [{
         'uri': 'com.example.*',
         'call': True,
         'register': True,
         'publish': True,
         'subscribe': True
     }]
     role = RouterRoleStaticAuth(None, "testrole", permissions)
     actions = ['call', 'register', 'publish', 'subscribe']
     uris = [('com.example.1', True), ('myuri', False), ('', False)]
     for uri, allow in uris:
         for action in actions:
             self.assertEqual(role.authorize(None, uri, action), allow)
Ejemplo n.º 11
0
 def setUp(self):
     permissions = [
         {
             u'uri': u'com..private',
             u'match': 'wildcard',
             u'allow': {
                 u'call': True,
                 u'register': False,
                 u'publish': False,
                 u'subscribe': False,
             }
         },
         {
             u'uri': u'com.something_specific.private',
             u'match': 'exact',
             u'allow': {
                 u'call': False,
                 u'register': True,
                 u'publish': False,
                 u'subscribe': False
             }
         },
         {
             u'uri': u'com.',
             u'match': 'prefix',
             u'allow': {
                 u'call': False,
                 u'register': False,
                 u'publish': True,
                 u'subscribe': False
             }
         }
     ]
     self.role = RouterRoleStaticAuth(None, u'testrole', permissions)
Ejemplo n.º 12
0
 def test_ruleset_2(self):
     permissions = [
         {
             'uri': '*',
             'call': True,
             'register': True,
             'publish': True,
             'subscribe': True
         }
     ]
     role = RouterRoleStaticAuth(None, "testrole", permissions)
     actions = ['call', 'register', 'publish', 'subscribe']
     uris = [('com.example.1', True), ('myuri', True), ('', True)]
     for uri, allow in uris:
         for action in actions:
             self.assertEqual(role.authorize(None, uri, action), allow)
Ejemplo n.º 13
0
def add_realm_to_router(router_factory, session_factory, realm_name=u'default',
                        realm_options={}):

    opts = dict(realm_options)
    opts.update({u'name': realm_name})

    # start a realm
    realm = RouterRealm(None, opts)
    router = router_factory.start_realm(realm)

    extra = {}
    session_config = ComponentConfig(realm_name, extra)
    realm.session = RouterServiceSession(session_config, router)

    # allow everything
    default_permissions = {
        u'uri': u'',
        u'match': u'prefix',
        u'allow': {
            u'call': True,
            u'register': True,
            u'publish': True,
            u'subscribe': True
        }
    }

    router = router_factory.get(realm_name)
    router.add_role(RouterRoleStaticAuth(router, 'anonymous', default_permissions=default_permissions))

    session_factory.add(realm.session, authrole=u'trusted')

    return router
Ejemplo n.º 14
0
    def add_role(self, realm: str, config: Dict[str, Any]) -> RouterRole:
        """
        Add a role to a realm.

        :param realm: The name of the realm to add the role to.
        :param config: The role configuration.
        :return: The new role object.
        """
        self.log.info('{func}: realm="{realm}", config=\n{config}',
                      func=hltype(self.add_role),
                      realm=hlval(realm),
                      config=pformat(config))

        if realm not in self._routers:
            raise RuntimeError(
                'no router started for realm "{}"'.format(realm))

        router = self._routers[realm]
        uri = config['name']

        role: RouterRole
        if 'permissions' in config:
            role = RouterRoleStaticAuth(router, uri, config['permissions'])
        elif 'authorizer' in config:
            role = RouterRoleDynamicAuth(router, uri, config['authorizer'])
        else:
            allow_by_default = config.get('allow-by-default', False)
            role = RouterRole(router, uri, allow_by_default=allow_by_default)

        router.add_role(role)
        return role
Ejemplo n.º 15
0
    def setUp(self):

        # create a router factory
        self.router_factory = RouterFactory(None, None)

        # start a realm
        self.realm = RouterRealm(None, {u'name': u'realm1'})
        self.router_factory.start_realm(self.realm)

        # allow everything
        self.router = self.router_factory.get(u'realm1')
        self.router.add_role(
            RouterRoleStaticAuth(self.router,
                                 u'test_role',
                                 default_permissions={
                                     u'uri': u'com.myapp.',
                                     u'match': u'prefix',
                                     u'allow': {
                                         u'call': True,
                                         u'register': True,
                                         u'publish': True,
                                         u'subscribe': True,
                                     }
                                 }))

        # create a router session factory
        self.session_factory = RouterSessionFactory(self.router_factory)
Ejemplo n.º 16
0
    def setUp(self):
        """
        Setup router and router session factories.
        """

        # create a router factory
        self.router_factory = RouterFactory('node1', 'router1', None)

        # start a realm
        self.realm = RouterRealm(None, None, {'name': 'realm1'})
        self.router_factory.start_realm(self.realm)

        # allow everything
        self.router = self.router_factory.get('realm1')
        self.router.add_role(
            RouterRoleStaticAuth(self.router,
                                 'test_role',
                                 default_permissions={
                                     'uri': 'com.example.',
                                     'match': 'prefix',
                                     'allow': {
                                         'call': True,
                                         'register': True,
                                         'publish': True,
                                         'subscribe': True,
                                     }
                                 }))

        # create a router session factory
        self.session_factory = RouterSessionFactory(self.router_factory)
Ejemplo n.º 17
0
 def test_ruleset_1(self):
     permissions = [{
         u'uri': u'com.example.*',
         u'allow': {
             u'call': True,
             u'register': True,
             u'publish': True,
             u'subscribe': True
         }
     }]
     role = RouterRoleStaticAuth(None, u'testrole', permissions)
     actions = [u'call', u'register', u'publish', u'subscribe']
     uris = [(u'com.example.1', True), (u'myuri', False), (u'', False)]
     for uri, allow in uris:
         for action in actions:
             authorization = role.authorize(None, uri, action, {})
             self.assertEqual(authorization[u'allow'], allow)
Ejemplo n.º 18
0
 def test_ruleset_2(self):
     permissions = [
         {
             u'uri': u'*',
             u'allow': {
                 u'call': True,
                 u'register': True,
                 u'publish': True,
                 u'subscribe': True
             }
         }
     ]
     role = RouterRoleStaticAuth(None, u'testrole', permissions)
     actions = [u'call', u'register', u'publish', u'subscribe']
     uris = [(u'com.example.1', True), (u'myuri', True), (u'', True)]
     for uri, allow in uris:
         for action in actions:
             authorization = role.authorize(None, uri, action, {})
             self.assertEqual(authorization[u'allow'], allow)
Ejemplo n.º 19
0
class TestRouterRoleStaticAuthWild(unittest.TestCase):
    def setUp(self):
        permissions = [{
            'uri': 'com..private',
            'match': 'wildcard',
            'allow': {
                'call': True,
                'register': False,
                'publish': False,
                'subscribe': False,
            }
        }, {
            'uri': 'com.something_specific.private',
            'match': 'exact',
            'allow': {
                'call': False,
                'register': True,
                'publish': False,
                'subscribe': False
            }
        }, {
            'uri': 'com.',
            'match': 'prefix',
            'allow': {
                'call': False,
                'register': False,
                'publish': True,
                'subscribe': False
            }
        }]
        self.role = RouterRoleStaticAuth(None, 'testrole', permissions)

    def test_exact_before_wildcard(self):
        # exact matches should always be preferred over wildcards
        self.assertEqual(False, self.role.authorize(None, 'com.something_specific.private', 'call', {})['allow'])
        self.assertEqual(True, self.role.authorize(None, 'com.something_specific.private', 'register', {})['allow'])

    def test_wildcard_before_prefix(self):
        # wildcards should be preferred over prefix
        self.assertEqual(True, self.role.authorize(None, 'com.foo.private', 'call', {})['allow'])
        self.assertEqual(False, self.role.authorize(None, 'com.foo.private', 'register', {})['allow'])
        self.assertEqual(False, self.role.authorize(None, 'com.foo.private', 'publish', {})['allow'])

    def test_prefix(self):
        # wildcards should be preferred over prefix
        self.assertEqual(False, self.role.authorize(None, 'com.whatever', 'call', {})['allow'])
        self.assertEqual(False, self.role.authorize(None, 'com.whatever', 'register', {})['allow'])
        self.assertEqual(True, self.role.authorize(None, 'com.whatever', 'publish', {})['allow'])
Ejemplo n.º 20
0
    def test_start_router_component(self):
        """
        Starting a class-based router component works.
        """
        r = router.RouterController(config=self.config, reactor=reactor)

        # Open the transport
        transport = FakeWAMPTransport(r)
        r.onOpen(transport)

        realm_config = {
            u"name":
            u"realm1",
            u'roles': [{
                u'name':
                u'anonymous',
                u'permissions': [{
                    u'subscribe': True,
                    u'register': True,
                    u'call': True,
                    u'uri': u'*',
                    u'publish': True
                }]
            }]
        }

        r.start_router_realm(u"realm1", realm_config)

        permissions = RouterPermissions(u'', True, True, True, True, True)
        routera = r._router_factory.get(u'realm1')
        routera.add_role(
            RouterRoleStaticAuth(router,
                                 'anonymous',
                                 default_permissions=permissions))

        component_config = {
            u"type": u"class",
            u"classname":
            u"crossbar.worker.test.examples.goodclass.AppSession",
            u"realm": u"realm1"
        }

        r.start_router_component("newcomponent", component_config)

        self.assertEqual(len(r.get_router_components()), 1)
        self.assertEqual(r.get_router_components()[0]["id"], "newcomponent")

        self.assertEqual(len(_), 1)
        _.pop()  # clear this global state
Ejemplo n.º 21
0
    def add_role(self, realm, config):
        self.log.debug("CrossbarRouterFactory.add_role(realm = {realm}, config = {config})",
                       realm=realm, config=config)

        assert(realm in self._routers)

        router = self._routers[realm]
        uri = config['name']

        if 'permissions' in config:
            role = RouterRoleStaticAuth(router, uri, config['permissions'])
        elif 'authorizer' in config:
            role = RouterRoleDynamicAuth(router, uri, config['authorizer'])
        else:
            role = RouterRole(router, uri)

        router.add_role(role)
Ejemplo n.º 22
0
    def setUp(self):
        """
        Setup router and router session factories.
        """

        # create a router factory
        self.router_factory = RouterFactory()

        # start a realm
        self.router_factory.start_realm(RouterRealm(None, {u'name': u'realm1'}))

        # allow everything
        permissions = RouterPermissions('', True, True, True, True, True)
        router = self.router_factory.get(u'realm1')
        router.add_role(RouterRoleStaticAuth(router, None, default_permissions=permissions))

        # create a router session factory
        self.session_factory = RouterSessionFactory(self.router_factory)
Ejemplo n.º 23
0
    def add_role(self, realm, config):
        self.log.debug("CrossbarRouterFactory.add_role(realm = {realm}, config = {config})",
                       realm=realm, config=config)

        assert(type(realm) == six.text_type)
        assert(realm in self._routers)

        router = self._routers[realm]
        uri = config[u'name']

        if u'permissions' in config:
            role = RouterRoleStaticAuth(router, uri, config[u'permissions'])
        elif u'authorizer' in config:
            role = RouterRoleDynamicAuth(router, uri, config[u'authorizer'])
        else:
            allow_by_default = config.get(u'allow-by-default', False)
            role = RouterRole(router, uri, allow_by_default=allow_by_default)

        router.add_role(role)
Ejemplo n.º 24
0
def build_mqtt_server():

    reactor = Clock()
    router_factory, server_factory, session_factory = make_router()

    add_realm_to_router(router_factory, session_factory)
    router = add_realm_to_router(router_factory,
                                 session_factory,
                                 realm_name=u'mqtt',
                                 realm_options={})

    # allow everything
    default_permissions = {
        u'uri': u'',
        u'match': u'prefix',
        u'allow': {
            u'call': True,
            u'register': True,
            u'publish': True,
            u'subscribe': True
        }
    }

    router.add_role(RouterRoleStaticAuth(router, u'mqttrole', default_permissions=default_permissions))

    class AuthenticatorSession(ApplicationSession):

        @inlineCallbacks
        def onJoin(self, details):

            def authenticate(realm, authid, details):

                if authid == u"test123":

                    if details["ticket"] != u'password':
                        raise ApplicationError(u'com.example.invalid_ticket', u'nope')

                    res = {
                        u'realm': u'mqtt',
                        u'role': u'mqttrole',
                        u'extra': {}
                    }
                    return res

                else:
                    raise ApplicationError(u'com.example.no_such_user', u'nah')

            yield self.register(authenticate, u'com.example.auth')

            def tls(realm, authid, details):
                ACCEPTED_CERTS = set([u'95:1C:A9:6B:CD:8D:D2:BD:F4:73:82:01:55:89:41:12:9C:F8:AF:8E'])

                if 'client_cert' not in details['transport'] or not details['transport']['client_cert']:
                    raise ApplicationError(u"com.example.no_cert", u"no client certificate presented")

                client_cert = details['transport']['client_cert']
                sha1 = client_cert['sha1']
                subject_cn = client_cert['subject']['cn']

                if sha1 not in ACCEPTED_CERTS:
                    raise ApplicationError(u"com.example.invalid_cert", u"certificate with SHA1 {} denied".format(sha1))
                else:
                    return {
                        u'authid': subject_cn,
                        u'role': u'mqttrole',
                        u'realm': u'mqtt'
                    }

            yield self.register(tls, u'com.example.tls')

    config = ComponentConfig(u"default", {})
    authsession = AuthenticatorSession(config)
    session_factory.add(authsession, router, authrole=u"trusted")

    options = {
        u"options": {
            u"realm": u"mqtt",
            u"role": u"mqttrole",
            u"payload_mapping": {
                u"": {
                    u"type": u"native",
                    u"serializer": u"json"
                }
            },
            u"auth": {
                u"ticket": {
                    u"type": u"dynamic",
                    u"authenticator": u"com.example.auth",
                    u"authenticator-realm": u"default",
                },
                u"tls": {
                    u"type": u"dynamic",
                    u"authenticator": u"com.example.tls",
                    u"authenticator-realm": u"default",
                }
            }
        }
    }

    mqtt_factory = WampMQTTServerFactory(session_factory, options, reactor)

    server_factory._mqtt_factory = mqtt_factory

    return reactor, router, server_factory, session_factory
Ejemplo n.º 25
0
class TestRouterRoleStaticAuthWild(unittest.TestCase):

    def setUp(self):
        permissions = [
            {
                u'uri': u'com..private',
                u'match': 'wildcard',
                u'allow': {
                    u'call': True,
                    u'register': False,
                    u'publish': False,
                    u'subscribe': False,
                }
            },
            {
                u'uri': u'com.something_specific.private',
                u'match': 'exact',
                u'allow': {
                    u'call': False,
                    u'register': True,
                    u'publish': False,
                    u'subscribe': False
                }
            },
            {
                u'uri': u'com.',
                u'match': 'prefix',
                u'allow': {
                    u'call': False,
                    u'register': False,
                    u'publish': True,
                    u'subscribe': False
                }
            }
        ]
        self.role = RouterRoleStaticAuth(None, u'testrole', permissions)

    def test_exact_before_wildcard(self):
        # exact matches should always be preferred over wildcards
        self.assertEqual(
            False,
            self.role.authorize(None, u'com.something_specific.private', 'call', {})[u'allow']
        )
        self.assertEqual(
            True,
            self.role.authorize(None, u'com.something_specific.private', 'register', {})[u'allow']
        )

    def test_wildcard_before_prefix(self):
        # wildcards should be preferred over prefix
        self.assertEqual(
            True,
            self.role.authorize(None, u'com.foo.private', 'call', {})[u'allow']
        )
        self.assertEqual(
            False,
            self.role.authorize(None, u'com.foo.private', 'register', {})[u'allow']
        )
        self.assertEqual(
            False,
            self.role.authorize(None, u'com.foo.private', 'publish', {})[u'allow']
        )

    def test_prefix(self):
        # wildcards should be preferred over prefix
        self.assertEqual(
            False,
            self.role.authorize(None, u'com.whatever', 'call', {})[u'allow']
        )
        self.assertEqual(
            False,
            self.role.authorize(None, u'com.whatever', 'register', {})[u'allow']
        )
        self.assertEqual(
            True,
            self.role.authorize(None, u'com.whatever', 'publish', {})[u'allow']
        )