def test_bad_regexs_are_skipped(self):
self.assertEqual(
db_validation.validate_credential_fields(
db_validation.CredentialCollection(username='******',
password=None,
mfa_token=None),
db_models.Campaign(credential_regex_username=r'\S+[')),
db_validation.CredentialCollection(username=None,
password=None,
mfa_token=None))
def test_none_fields_fail(self):
self.assertEqual(
db_validation.validate_credential_fields(
db_validation.CredentialCollection(username=None,
password=None,
mfa_token=None),
self.campaign),
db_validation.CredentialCollection(username=False,
password=None,
mfa_token=None))
def test_empty_configuration_returns_none(self):
self.assertIsNone(
db_validation.validate_credential(
db_validation.CredentialCollection(username='******',
password='******',
mfa_token='031337'),
db_models.Campaign()))
self.assertIsNone(
db_validation.validate_credential(
db_validation.CredentialCollection(username=None,
password=None,
mfa_token=None),
db_models.Campaign()))
def get_query_creds(self, check_query=True):
"""
Get credentials that have been submitted in the request. For credentials
to be returned at least a username must have been specified. The
returned username will be None or a non-empty string. The returned
password will be None if the parameter was not found or a string which
maybe empty. This functions checks the query data for credentials first
if *check_query* is True, and then checks the contents of an
Authorization header.
:param bool check_query: Whether or not to check the query data in addition to an Authorization header.
:return: The submitted credentials.
:rtype: :py:class:`~king_phisher.server.database.validation.CredentialCollection`
"""
username = None
password = ''
mfa_token = None
if check_query:
for pname in ('username', 'user', 'u', 'login'):
username = (self.get_query(pname) or self.get_query(pname.title()) or self.get_query(pname.upper()))
if username:
break
if username:
for pname in ('password', 'pass', 'p'):
password = (self.get_query(pname) or self.get_query(pname.title()) or self.get_query(pname.upper()))
if password:
break
for pname in ('mfa', 'mfa-token', 'otp', 'otp-token', 'token'):
mfa_token = (self.get_query(pname) or self.get_query(pname.title()) or self.get_query(pname.upper()))
if mfa_token:
break
return db_validation.CredentialCollection(username, (password or ''), mfa_token)
basic_auth = self.headers.get('authorization')
if basic_auth:
basic_auth = basic_auth.split()
if len(basic_auth) == 2 and basic_auth[0] == 'Basic':
try:
basic_auth = base64.b64decode(basic_auth[1])
except TypeError:
return db_validation.CredentialCollection(None, '', None)
basic_auth = basic_auth.decode('utf-8')
basic_auth = basic_auth.split(':', 1)
if len(basic_auth) == 2 and len(basic_auth[0]):
username, password = basic_auth
return db_validation.CredentialCollection(username, password, mfa_token)
def test_extra_fields_are_ignored(self):
self.assertTrue(
db_validation.validate_credential(
db_validation.CredentialCollection(username='******',
password='******',
mfa_token=None),
self.campaign))
self.assertTrue(
db_validation.validate_credential(
db_validation.CredentialCollection(username='******',
password=None,
mfa_token='031337'),
self.campaign))
self.assertTrue(
db_validation.validate_credential(
db_validation.CredentialCollection(username='******',
password='******',
mfa_token='031337'),
self.campaign))
def test_validation_methods(self):
cred = db_validation.CredentialCollection(username='******',
password=None,
mfa_token=None)
self.assertEqual(
db_validation.validate_credential_fields(cred, self.campaign),
db_validation.CredentialCollection(username=True,
password=None,
mfa_token=None))
self.assertTrue(db_validation.validate_credential(cred, self.campaign))
cred = db_validation.CredentialCollection(username='******',
password=None,
mfa_token=None)
self.assertEqual(
db_validation.validate_credential_fields(cred, self.campaign),
db_validation.CredentialCollection(username=False,
password=None,
mfa_token=None))
self.assertFalse(db_validation.validate_credential(
cred, self.campaign))
cred = db_validation.CredentialCollection(username='******',
password=None,
mfa_token=None)
campaign = db_models.Campaign(credential_regex_username=r'a\S+',
credential_regex_password=r'a\S+')
self.assertEqual(
db_validation.validate_credential_fields(cred, campaign),
db_validation.CredentialCollection(username=True,
password=False,
mfa_token=None))
self.assertFalse(db_validation.validate_credential(cred, campaign))