def test_authenticate_nonce(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
otheruser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(
first_request
))
with transaction.commit_on_success():
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
def test_authenticate_nonce(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(
first_request
))
with transaction.commit_on_success():
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
def __call__(self, request):
authenticator = HttpDigestAuthenticator()
if (not authenticator.authenticate(request) and
(get_setting("DIGEST_REQUIRE_AUTHENTICATION", False) or
authenticator.contains_digest_credentials(request))):
return authenticator.build_challenge_response()
response = self.get_response(request)
if response.status_code == 401:
return authenticator.build_challenge_response()
return response
def test_authenticate_nonce(self):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
nonce = python_digest.calculate_nonce(time.time(),
secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******',
nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******',
nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******',
nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
assert 'HTTP_AUTHORIZATION' in first_request.META
assert python_digest.is_digest_credential(
first_request.META['HTTP_AUTHORIZATION'])
self.assertTrue(
HttpDigestAuthenticator.contains_digest_credentials(first_request))
transaction.set_autocommit(False)
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
transaction.commit()
transaction.set_autocommit(True)
def test_authenticate_nonce(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
assert 'HTTP_AUTHORIZATION' in first_request.META
assert python_digest.is_digest_credential(first_request.META['HTTP_AUTHORIZATION'])
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(
first_request
))
transaction.set_autocommit(False)
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
transaction.commit()
transaction.set_autocommit(True)
def test_authenticate(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
otheruser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
# an invalid request
fourth_request = self.create_mock_request_for_header(
'Digest blah blah blah')
# an invalid request
fifth_request = self.create_mock_request_for_header(None)
# an invalid nonce
sixth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=1,
nonce=python_digest.calculate_nonce(time.time(), secret='bad secret'))
# an invalid request digest (wrong password)
seventh_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
# attack attempts / failures don't invalidate the session or increment nonce_cont
eighth_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
eighth_request.user = testuser
# mismatched URI
ninth_request = self.create_mock_request(
username=testuser.username, nonce=nonce, password='******',
nonce_count=4, request_path='/different/path')
# stale nonce
tenth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=4,
nonce=python_digest.calculate_nonce(
time.time()-60000, secret=settings.SECRET_KEY))
# once the nonce is used by one user, can't be reused by another
eleventh_request = self.create_mock_request(
username=otheruser.username, password='******', nonce=nonce,
nonce_count=4)
# if the partial digest is not in the DB, authentication fails
twelfth_request = self.create_mock_request(username=testuser.username,
password='******', nonce_count=3)
# a request for Basic auth
thirteenth_request = self.create_mock_request_for_header(
'Basic YmxhaDpibGFo')
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(first_request))
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
self.assertTrue(authenticator.authenticate(third_request))
self.assertFalse(authenticator.authenticate(fourth_request))
self.assertFalse(authenticator.authenticate(fifth_request))
self.assertFalse(authenticator.authenticate(sixth_request))
self.assertFalse(authenticator.authenticate(seventh_request))
self.assertTrue(authenticator.authenticate(eighth_request))
self.assertFalse(authenticator.authenticate(ninth_request))
self.assertFalse(authenticator.authenticate(tenth_request))
self.assertFalse(authenticator.authenticate(eleventh_request))
PartialDigest.objects.all().delete()
self.assertFalse(authenticator.authenticate(twelfth_request))
self.assertFalse(authenticator.authenticate(thirteenth_request))
