def testWithPlaintextWrongPassword(self):
cred = CredUSPCC("user")
# authenticator sets salt and challenge
cred.salt = self.salt
cred.challenge = credentials.cryptChallenge()
# requester responds with wrong password
cred.setPassword("wrong")
# authenticator verifies against the known good password
self.failIf(cred.checkSha256Password(self.good))
self.failIf(cred.checkSha256Password("boohoowrong"))
def testWithPlaintextWrongPassword(self):
cred = CredUCPCC('user')
# authenticator sets salt and challenge
cred.salt = 'qi'
cred.challenge = credentials.cryptChallenge()
# requester responds with wrong password
cred.setPassword('wrong')
# authenticator verifies against the known good password
self.failIf(cred.checkCryptPassword('qi1Lftt0GZC0o'))
self.failIf(cred.checkCryptPassword('boohoowrong'))
def testWithPlaintextWrongPassword(self):
cred = CredUCPCC('user')
# authenticator sets salt and challenge
cred.salt = 'qi'
cred.challenge = credentials.cryptChallenge()
# requester responds with wrong password
cred.setPassword('wrong')
# authenticator verifies against the known good password
self.failIf(cred.checkCryptPassword('qi1Lftt0GZC0o'))
self.failIf(cred.checkCryptPassword('boohoowrong'))
def testWithPlaintext(self):
cred = CredUCPCC("user")
# authenticator sets salt and challenge
cred.salt = "qi"
cred.challenge = credentials.cryptChallenge()
# not responding should fail
self.failIf(cred.checkCryptPassword("qi1Lftt0GZC0o"))
# requester responds
cred.setPassword("test")
# authenticator verifies against the known good password
self.assert_(cred.checkCryptPassword("qi1Lftt0GZC0o"))
self.failIf(cred.checkCryptPassword("boohoowrong"))
def testWithPlaintext(self):
cred = CredUSPCC("user")
# authenticator sets salt and challenge
cred.salt = self.salt
cred.challenge = credentials.cryptChallenge()
# initially, we didn't respond, so it should fail with the right result
self.failIf(cred.checkSha256Password(self.good))
# requester responds
cred.setPassword("test")
# authenticator verifies against the known good password
self.failUnless(cred.checkSha256Password(self.good))
self.failIf(cred.checkSha256Password("boohoowrong"))
def testWithPlaintext(self):
cred = CredUSPCC('user')
# authenticator sets salt and challenge
cred.salt = self.salt
cred.challenge = credentials.cryptChallenge()
# initially, we didn't respond, so it should fail with the right result
self.failIf(cred.checkSha256Password(self.good))
# requester responds
cred.setPassword('test')
# authenticator verifies against the known good password
self.failUnless(cred.checkSha256Password(self.good))
self.failIf(cred.checkSha256Password('boohoowrong'))
def do_authenticate(self, keycard):
if isinstance(keycard, self.challengeResponseClasses):
# Check if we need to challenge it
if not self.hasAuthSession(keycard):
if not self.startAuthSession(keycard):
# Keycard refused right away
keycard.state = keycards.REFUSED
return None
self.debug('putting challenge on keycard %r' % keycard)
keycard.challenge = credentials.cryptChallenge()
if keycard.username in self._db:
keycard.salt = self._db[keycard.username]
else:
# random-ish salt, otherwise it's too obvious
string = str(random.randint(pow(10, 10), pow(10, 11)))
md = python.md5()
md.update(string)
keycard.salt = md.hexdigest()[:2]
self.debug("user not found, inventing bogus salt")
self.debug("salt %s, storing challenge for id %s" %
(keycard.salt, keycard.id))
self.updateAuthSession(keycard)
return keycard
else:
# Check if the challenge has been tampered with
challenge = self.getAuthSessionInfo(keycard)
if challenge != keycard.challenge:
self.info('keycard %r refused, challenge tampered with' %
keycard)
self.cancelAuthSession(keycard)
keycard.state = keycards.REFUSED
return None
else:
# Not a challenge/response authentication.
# creating a temporary session to have a keycard id
if not self.startAuthSession(keycard):
# Keycard refused right away
keycard.state = keycards.REFUSED
return None
# use the checker
self.debug('submitting keycard %r to checker' % keycard)
d = self._checker.requestAvatarId(keycard)
d.addCallback(self._requestAvatarIdCallback, keycard)
d.addErrback(self._requestAvatarIdErrback, keycard)
return d
def do_authenticate(self, keycard):
if isinstance(keycard, self.challengeResponseClasses):
# Check if we need to challenge it
if not self.hasAuthSession(keycard):
if not self.startAuthSession(keycard):
# Keycard refused right away
keycard.state = keycards.REFUSED
return None
self.debug('putting challenge on keycard %r' % keycard)
keycard.challenge = credentials.cryptChallenge()
if keycard.username in self._db:
keycard.salt = self._db[keycard.username]
else:
# random-ish salt, otherwise it's too obvious
string = str(random.randint(pow(10, 10), pow(10, 11)))
md = md5.new()
md.update(string)
keycard.salt = md.hexdigest()[:2]
self.debug("user not found, inventing bogus salt")
self.debug("salt %s, storing challenge for id %s"
% (keycard.salt, keycard.id))
self.updateAuthSession(keycard)
return keycard
else:
# Check if the challenge has been tampered with
challenge = self.getAuthSessionInfo(keycard)
if challenge != keycard.challenge:
self.info('keycard %r refused, challenge tampered with'
% keycard)
self.cancelAuthSession(keycard)
keycard.state = keycards.REFUSED
return None
else:
# Not a challenge/response authentication.
# creating a temporary session to have a keycard id
if not self.startAuthSession(keycard):
# Keycard refused right away
keycard.state = keycards.REFUSED
return None
# use the checker
self.debug('submitting keycard %r to checker' % keycard)
d = self._checker.requestAvatarId(keycard)
d.addCallback(self._requestAvatarIdCallback, keycard)
d.addErrback(self._requestAvatarIdErrback, keycard)
return d
def do_authenticate(self, keycard):
# at this point we add it so there's an ID for challenge-response
if not self.addKeycard(keycard):
keycard.state = keycards.REFUSED
return keycard
# check if the keycard is ready for the checker, based on the type
if isinstance(keycard, self.challengeResponseClasses):
# Check if we need to challenge it
if not keycard.challenge:
self.debug('putting challenge on keycard %r' % keycard)
keycard.challenge = credentials.cryptChallenge()
if keycard.username in self._db:
keycard.salt = self._db[keycard.username]
else:
# random-ish salt, otherwise it's too obvious
string = str(random.randint(pow(10, 10), pow(10, 11)))
md = md5.new()
md.update(string)
keycard.salt = md.hexdigest()[:2]
self.debug("user not found, inventing bogus salt")
self.debug("salt %s, storing challenge for id %s" % (
keycard.salt, keycard.id))
# we store the challenge locally to verify against tampering
self._challenges[keycard.id] = keycard.challenge
return keycard
if keycard.response:
# Check if the challenge has been tampered with
if self._challenges[keycard.id] != keycard.challenge:
self.removeKeycard(keycard)
self.info('keycard %r refused, challenge tampered with' %
keycard)
return None
del self._challenges[keycard.id]
# use the checker
self.debug('submitting keycard %r to checker' % keycard)
d = self._checker.requestAvatarId(keycard)
d.addCallback(self._requestAvatarIdCallback, keycard)
d.addErrback(self._requestAvatarIdErrback, keycard)
return d
def setRequesterId(self, requesterId):
self.requesterId = requesterId
# make something uniquey
self.issuerName = str(self.requesterId) + '-' + cryptChallenge()
def setRequesterId(self, requesterId):
self.requesterId = requesterId
# make something uniquey
self.issuerName = str(self.requesterId) + '-' + cryptChallenge()
