def setUp(self): """ Setup router and router session factories. """ # create a router factory self.router_factory = RouterFactory(u'mynode') # start a realm self.router_factory.start_realm(RouterRealm(None, {u'name': u'realm1'})) # allow everything default_permissions = { u'uri': u'', u'match': u'prefix', u'allow': { u'call': True, u'register': True, u'publish': True, u'subscribe': True } } self.router = self.router_factory.get(u'realm1') self.router.add_role(RouterRoleStaticAuth(self.router, u'test_role', default_permissions=default_permissions)) self.router.add_role(RouterRoleStaticAuth(self.router, None, default_permissions=default_permissions)) # create a router session factory self.session_factory = RouterSessionFactory(self.router_factory)
def setUp(self): permissions = [{ u'uri': u'com..private', u'match': 'wildcard', u'allow': { u'call': True, u'register': False, u'publish': False, u'subscribe': False, } }, { u'uri': u'com.something_specific.private', u'match': 'exact', u'allow': { u'call': False, u'register': True, u'publish': False, u'subscribe': False } }, { u'uri': u'com.', u'match': 'prefix', u'allow': { u'call': False, u'register': False, u'publish': True, u'subscribe': False } }] self.role = RouterRoleStaticAuth(None, u'testrole', permissions)
def test_ruleset_empty(self): permissions = [] role = RouterRoleStaticAuth(None, "testrole", permissions) actions = ['call', 'register', 'publish', 'subscribe'] uris = ['com.example.1', 'myuri', ''] for uri in uris: for action in actions: self.assertFalse(role.authorize(None, uri, action))
def test_ruleset_2(self): permissions = [{u"uri": u"*", u"call": True, u"register": True, u"publish": True, u"subscribe": True}] role = RouterRoleStaticAuth(None, u"testrole", permissions) actions = [u"call", u"register", u"publish", u"subscribe"] uris = [(u"com.example.1", True), (u"myuri", True), (u"", True)] for uri, allow in uris: for action in actions: authorization = role.authorize(None, uri, action) self.assertEqual(authorization[u"allow"], allow)
def test_ruleset_empty(self): permissions = [] role = RouterRoleStaticAuth(None, u'testrole', permissions) actions = [u'call', u'register', u'publish', u'subscribe'] uris = [u'com.example.1', u'myuri', u''] for uri in uris: for action in actions: authorization = role.authorize(None, uri, action, {}) self.assertFalse(authorization[u'allow'])
def test_ruleset_2(self): permissions = [{'uri': '*', 'allow': {'call': True, 'register': True, 'publish': True, 'subscribe': True}}] role = RouterRoleStaticAuth(None, 'testrole', permissions) actions = ['call', 'register', 'publish', 'subscribe'] uris = [('com.example.1', True), ('myuri', True), ('', True)] for uri, allow in uris: for action in actions: authorization = role.authorize(None, uri, action, {}) self.assertEqual(authorization['allow'], allow)
def test_ruleset_empty(self): permissions = [] role = RouterRoleStaticAuth(None, u"testrole", permissions) actions = [u"call", u"register", u"publish", u"subscribe"] uris = [u"com.example.1", u"myuri", u""] for uri in uris: for action in actions: authorization = role.authorize(None, uri, action) self.assertFalse(authorization[u"allow"])
def test_ruleset_1(self): permissions = [{ 'uri': 'com.example.*', 'call': True, 'register': True, 'publish': True, 'subscribe': True }] role = RouterRoleStaticAuth(None, "testrole", permissions) actions = ['call', 'register', 'publish', 'subscribe'] uris = [('com.example.1', True), ('myuri', False), ('', False)] for uri, allow in uris: for action in actions: self.assertEqual(role.authorize(None, uri, action), allow)
def setUp(self): permissions = [ { u'uri': u'com..private', u'match': 'wildcard', u'allow': { u'call': True, u'register': False, u'publish': False, u'subscribe': False, } }, { u'uri': u'com.something_specific.private', u'match': 'exact', u'allow': { u'call': False, u'register': True, u'publish': False, u'subscribe': False } }, { u'uri': u'com.', u'match': 'prefix', u'allow': { u'call': False, u'register': False, u'publish': True, u'subscribe': False } } ] self.role = RouterRoleStaticAuth(None, u'testrole', permissions)
def test_ruleset_2(self): permissions = [ { 'uri': '*', 'call': True, 'register': True, 'publish': True, 'subscribe': True } ] role = RouterRoleStaticAuth(None, "testrole", permissions) actions = ['call', 'register', 'publish', 'subscribe'] uris = [('com.example.1', True), ('myuri', True), ('', True)] for uri, allow in uris: for action in actions: self.assertEqual(role.authorize(None, uri, action), allow)
def add_realm_to_router(router_factory, session_factory, realm_name=u'default', realm_options={}): opts = dict(realm_options) opts.update({u'name': realm_name}) # start a realm realm = RouterRealm(None, opts) router = router_factory.start_realm(realm) extra = {} session_config = ComponentConfig(realm_name, extra) realm.session = RouterServiceSession(session_config, router) # allow everything default_permissions = { u'uri': u'', u'match': u'prefix', u'allow': { u'call': True, u'register': True, u'publish': True, u'subscribe': True } } router = router_factory.get(realm_name) router.add_role(RouterRoleStaticAuth(router, 'anonymous', default_permissions=default_permissions)) session_factory.add(realm.session, authrole=u'trusted') return router
def add_role(self, realm: str, config: Dict[str, Any]) -> RouterRole: """ Add a role to a realm. :param realm: The name of the realm to add the role to. :param config: The role configuration. :return: The new role object. """ self.log.info('{func}: realm="{realm}", config=\n{config}', func=hltype(self.add_role), realm=hlval(realm), config=pformat(config)) if realm not in self._routers: raise RuntimeError( 'no router started for realm "{}"'.format(realm)) router = self._routers[realm] uri = config['name'] role: RouterRole if 'permissions' in config: role = RouterRoleStaticAuth(router, uri, config['permissions']) elif 'authorizer' in config: role = RouterRoleDynamicAuth(router, uri, config['authorizer']) else: allow_by_default = config.get('allow-by-default', False) role = RouterRole(router, uri, allow_by_default=allow_by_default) router.add_role(role) return role
def setUp(self): # create a router factory self.router_factory = RouterFactory(None, None) # start a realm self.realm = RouterRealm(None, {u'name': u'realm1'}) self.router_factory.start_realm(self.realm) # allow everything self.router = self.router_factory.get(u'realm1') self.router.add_role( RouterRoleStaticAuth(self.router, u'test_role', default_permissions={ u'uri': u'com.myapp.', u'match': u'prefix', u'allow': { u'call': True, u'register': True, u'publish': True, u'subscribe': True, } })) # create a router session factory self.session_factory = RouterSessionFactory(self.router_factory)
def setUp(self): """ Setup router and router session factories. """ # create a router factory self.router_factory = RouterFactory('node1', 'router1', None) # start a realm self.realm = RouterRealm(None, None, {'name': 'realm1'}) self.router_factory.start_realm(self.realm) # allow everything self.router = self.router_factory.get('realm1') self.router.add_role( RouterRoleStaticAuth(self.router, 'test_role', default_permissions={ 'uri': 'com.example.', 'match': 'prefix', 'allow': { 'call': True, 'register': True, 'publish': True, 'subscribe': True, } })) # create a router session factory self.session_factory = RouterSessionFactory(self.router_factory)
def test_ruleset_1(self): permissions = [{ u'uri': u'com.example.*', u'allow': { u'call': True, u'register': True, u'publish': True, u'subscribe': True } }] role = RouterRoleStaticAuth(None, u'testrole', permissions) actions = [u'call', u'register', u'publish', u'subscribe'] uris = [(u'com.example.1', True), (u'myuri', False), (u'', False)] for uri, allow in uris: for action in actions: authorization = role.authorize(None, uri, action, {}) self.assertEqual(authorization[u'allow'], allow)
def test_ruleset_2(self): permissions = [ { u'uri': u'*', u'allow': { u'call': True, u'register': True, u'publish': True, u'subscribe': True } } ] role = RouterRoleStaticAuth(None, u'testrole', permissions) actions = [u'call', u'register', u'publish', u'subscribe'] uris = [(u'com.example.1', True), (u'myuri', True), (u'', True)] for uri, allow in uris: for action in actions: authorization = role.authorize(None, uri, action, {}) self.assertEqual(authorization[u'allow'], allow)
class TestRouterRoleStaticAuthWild(unittest.TestCase): def setUp(self): permissions = [{ 'uri': 'com..private', 'match': 'wildcard', 'allow': { 'call': True, 'register': False, 'publish': False, 'subscribe': False, } }, { 'uri': 'com.something_specific.private', 'match': 'exact', 'allow': { 'call': False, 'register': True, 'publish': False, 'subscribe': False } }, { 'uri': 'com.', 'match': 'prefix', 'allow': { 'call': False, 'register': False, 'publish': True, 'subscribe': False } }] self.role = RouterRoleStaticAuth(None, 'testrole', permissions) def test_exact_before_wildcard(self): # exact matches should always be preferred over wildcards self.assertEqual(False, self.role.authorize(None, 'com.something_specific.private', 'call', {})['allow']) self.assertEqual(True, self.role.authorize(None, 'com.something_specific.private', 'register', {})['allow']) def test_wildcard_before_prefix(self): # wildcards should be preferred over prefix self.assertEqual(True, self.role.authorize(None, 'com.foo.private', 'call', {})['allow']) self.assertEqual(False, self.role.authorize(None, 'com.foo.private', 'register', {})['allow']) self.assertEqual(False, self.role.authorize(None, 'com.foo.private', 'publish', {})['allow']) def test_prefix(self): # wildcards should be preferred over prefix self.assertEqual(False, self.role.authorize(None, 'com.whatever', 'call', {})['allow']) self.assertEqual(False, self.role.authorize(None, 'com.whatever', 'register', {})['allow']) self.assertEqual(True, self.role.authorize(None, 'com.whatever', 'publish', {})['allow'])
def test_start_router_component(self): """ Starting a class-based router component works. """ r = router.RouterController(config=self.config, reactor=reactor) # Open the transport transport = FakeWAMPTransport(r) r.onOpen(transport) realm_config = { u"name": u"realm1", u'roles': [{ u'name': u'anonymous', u'permissions': [{ u'subscribe': True, u'register': True, u'call': True, u'uri': u'*', u'publish': True }] }] } r.start_router_realm(u"realm1", realm_config) permissions = RouterPermissions(u'', True, True, True, True, True) routera = r._router_factory.get(u'realm1') routera.add_role( RouterRoleStaticAuth(router, 'anonymous', default_permissions=permissions)) component_config = { u"type": u"class", u"classname": u"crossbar.worker.test.examples.goodclass.AppSession", u"realm": u"realm1" } r.start_router_component("newcomponent", component_config) self.assertEqual(len(r.get_router_components()), 1) self.assertEqual(r.get_router_components()[0]["id"], "newcomponent") self.assertEqual(len(_), 1) _.pop() # clear this global state
def add_role(self, realm, config): self.log.debug("CrossbarRouterFactory.add_role(realm = {realm}, config = {config})", realm=realm, config=config) assert(realm in self._routers) router = self._routers[realm] uri = config['name'] if 'permissions' in config: role = RouterRoleStaticAuth(router, uri, config['permissions']) elif 'authorizer' in config: role = RouterRoleDynamicAuth(router, uri, config['authorizer']) else: role = RouterRole(router, uri) router.add_role(role)
def setUp(self): """ Setup router and router session factories. """ # create a router factory self.router_factory = RouterFactory() # start a realm self.router_factory.start_realm(RouterRealm(None, {u'name': u'realm1'})) # allow everything permissions = RouterPermissions('', True, True, True, True, True) router = self.router_factory.get(u'realm1') router.add_role(RouterRoleStaticAuth(router, None, default_permissions=permissions)) # create a router session factory self.session_factory = RouterSessionFactory(self.router_factory)
def add_role(self, realm, config): self.log.debug("CrossbarRouterFactory.add_role(realm = {realm}, config = {config})", realm=realm, config=config) assert(type(realm) == six.text_type) assert(realm in self._routers) router = self._routers[realm] uri = config[u'name'] if u'permissions' in config: role = RouterRoleStaticAuth(router, uri, config[u'permissions']) elif u'authorizer' in config: role = RouterRoleDynamicAuth(router, uri, config[u'authorizer']) else: allow_by_default = config.get(u'allow-by-default', False) role = RouterRole(router, uri, allow_by_default=allow_by_default) router.add_role(role)
def build_mqtt_server(): reactor = Clock() router_factory, server_factory, session_factory = make_router() add_realm_to_router(router_factory, session_factory) router = add_realm_to_router(router_factory, session_factory, realm_name=u'mqtt', realm_options={}) # allow everything default_permissions = { u'uri': u'', u'match': u'prefix', u'allow': { u'call': True, u'register': True, u'publish': True, u'subscribe': True } } router.add_role(RouterRoleStaticAuth(router, u'mqttrole', default_permissions=default_permissions)) class AuthenticatorSession(ApplicationSession): @inlineCallbacks def onJoin(self, details): def authenticate(realm, authid, details): if authid == u"test123": if details["ticket"] != u'password': raise ApplicationError(u'com.example.invalid_ticket', u'nope') res = { u'realm': u'mqtt', u'role': u'mqttrole', u'extra': {} } return res else: raise ApplicationError(u'com.example.no_such_user', u'nah') yield self.register(authenticate, u'com.example.auth') def tls(realm, authid, details): ACCEPTED_CERTS = set([u'95:1C:A9:6B:CD:8D:D2:BD:F4:73:82:01:55:89:41:12:9C:F8:AF:8E']) if 'client_cert' not in details['transport'] or not details['transport']['client_cert']: raise ApplicationError(u"com.example.no_cert", u"no client certificate presented") client_cert = details['transport']['client_cert'] sha1 = client_cert['sha1'] subject_cn = client_cert['subject']['cn'] if sha1 not in ACCEPTED_CERTS: raise ApplicationError(u"com.example.invalid_cert", u"certificate with SHA1 {} denied".format(sha1)) else: return { u'authid': subject_cn, u'role': u'mqttrole', u'realm': u'mqtt' } yield self.register(tls, u'com.example.tls') config = ComponentConfig(u"default", {}) authsession = AuthenticatorSession(config) session_factory.add(authsession, router, authrole=u"trusted") options = { u"options": { u"realm": u"mqtt", u"role": u"mqttrole", u"payload_mapping": { u"": { u"type": u"native", u"serializer": u"json" } }, u"auth": { u"ticket": { u"type": u"dynamic", u"authenticator": u"com.example.auth", u"authenticator-realm": u"default", }, u"tls": { u"type": u"dynamic", u"authenticator": u"com.example.tls", u"authenticator-realm": u"default", } } } } mqtt_factory = WampMQTTServerFactory(session_factory, options, reactor) server_factory._mqtt_factory = mqtt_factory return reactor, router, server_factory, session_factory
class TestRouterRoleStaticAuthWild(unittest.TestCase): def setUp(self): permissions = [ { u'uri': u'com..private', u'match': 'wildcard', u'allow': { u'call': True, u'register': False, u'publish': False, u'subscribe': False, } }, { u'uri': u'com.something_specific.private', u'match': 'exact', u'allow': { u'call': False, u'register': True, u'publish': False, u'subscribe': False } }, { u'uri': u'com.', u'match': 'prefix', u'allow': { u'call': False, u'register': False, u'publish': True, u'subscribe': False } } ] self.role = RouterRoleStaticAuth(None, u'testrole', permissions) def test_exact_before_wildcard(self): # exact matches should always be preferred over wildcards self.assertEqual( False, self.role.authorize(None, u'com.something_specific.private', 'call', {})[u'allow'] ) self.assertEqual( True, self.role.authorize(None, u'com.something_specific.private', 'register', {})[u'allow'] ) def test_wildcard_before_prefix(self): # wildcards should be preferred over prefix self.assertEqual( True, self.role.authorize(None, u'com.foo.private', 'call', {})[u'allow'] ) self.assertEqual( False, self.role.authorize(None, u'com.foo.private', 'register', {})[u'allow'] ) self.assertEqual( False, self.role.authorize(None, u'com.foo.private', 'publish', {})[u'allow'] ) def test_prefix(self): # wildcards should be preferred over prefix self.assertEqual( False, self.role.authorize(None, u'com.whatever', 'call', {})[u'allow'] ) self.assertEqual( False, self.role.authorize(None, u'com.whatever', 'register', {})[u'allow'] ) self.assertEqual( True, self.role.authorize(None, u'com.whatever', 'publish', {})[u'allow'] )