def testSecurityCheckUnicode(self):
user = "******"
# TODO(hanuszczak): Test password with unicode characters as well. Currently
# this will not work because `CryptedPassword` is broken and does not work
# with unicode objects.
password = "******"
with aff4.FACTORY.Open("aff4:/users/%s" % user,
aff4_type=aff4_users.GRRUser,
mode="w",
token=self.token) as fd:
crypted_password = aff4_users.CryptedPassword()
crypted_password.SetPassword(password.encode("utf-8"))
fd.Set(fd.Schema.PASSWORD, crypted_password)
token = base64.b64encode(("%s:%s" % (user, password)).encode("utf-8"))
environ = werkzeug_test.EnvironBuilder(path="/foo",
headers={
"Authorization":
"Basic %s" % token,
}).get_environ()
request = wsgiapp.HttpRequest(environ)
def Handler(request, *args, **kwargs):
del args, kwargs # Unused.
self.assertEqual(request.user, user)
return werkzeug_wrappers.Response("foobar", status=200)
manager = webauth.BasicWebAuthManager()
response = manager.SecurityCheck(Handler, request)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.get_data(), "foobar")
def testFailedSignatureKey(self):
"""Test requests with an invalid JWT Token."""
assertion_header = (
"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsI"
"mtpZCI6IjZCRWVvQSJ9.eyJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20"
"vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaDciLCJlbWFpbCI6ImFaaaaaaaazaaaaaaaaaaaaaaaaaaaaaa8iLCJhd"
"WQiOiIvcHJvamVjdaaaaaaaaaaaaaaaaaayaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaayOegyMzkzOTQ2NCIsImV4cCI6MTU0Njk4MDUwNiwiaWF0Ijo"
"xNTQ2OTc5OTA2LCJaaCI6InNwb3apaaaaaaaaaaaaaaapayJ9.NZwDs0U_fubYS"
"OmYNJAI9ufgoC84zXOCzZkxclWBVXhb1dBVQHpO-VZW-lworDvKxX_BWqagKYTq"
"wc4ELBcKTQ")
environ = werkzeug_test.EnvironBuilder(
path="/",
headers={
"X-Goog-IAP-JWT-Assertion": assertion_header
},
).get_environ()
request = wsgiapp.HttpRequest(environ)
def Handler(request, *args, **kwargs):
del request, args, kwargs # Unused.
self.fail("Handler shouldn't have been executed.")
manager = webauth.IAPWebAuthManager()
response = manager.SecurityCheck(Handler, request)
self.assertEqual(response.status_code, 401)
def testSecurityCheckUnicode(self):
user = "******"
# TODO(hanuszczak): Test password with unicode characters as well. Currently
# this will not work because `CryptedPassword` is broken and does not work
# with unicode objects.
password = "******"
self._SetupUser(user, password)
authorization = "{user}:{password}".format(user=user,
password=password)
token = base64.b64encode(authorization.encode("utf-8")).decode("ascii")
environ = werkzeug_test.EnvironBuilder(path="/foo",
headers={
"Authorization":
"Basic %s" % token,
}).get_environ()
request = wsgiapp.HttpRequest(environ)
def Handler(request, *args, **kwargs):
del args, kwargs # Unused.
self.assertEqual(request.user, user)
return http_response.HttpResponse(b"foobar", status=200)
manager = webauth.BasicWebAuthManager()
response = manager.SecurityCheck(Handler, request)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.get_data(), b"foobar")
def testReportsErrorOnNonHomepagesWhenAuthorizationHeaderIsMissing(self):
environ = werkzeug_test.EnvironBuilder(path="/foo").get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response.get_data(as_text=True),
"JWT token validation failed: JWT token is missing.")
def testRejectsRequestWithoutRemoteUserHeader(self):
environ = werkzeug_test.EnvironBuilder(environ_base={
"REMOTE_ADDR": "127.0.0.1"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response.get_data(as_text=True),
"No username header found.")
def testProcessesRequestWithUsernameFromTrustedIp(self):
environ = werkzeug_test.EnvironBuilder(environ_base={
"REMOTE_ADDR": "127.0.0.1",
"HTTP_X_REMOTE_USER": "******"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response, self.success_response)
def testRejectsRequestFromUntrustedIp(self):
environ = werkzeug_test.EnvironBuilder(environ_base={
"REMOTE_ADDR": "127.0.0.2"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(
response.get_data(as_text=True),
"Request sent from an IP not in AdminUI.remote_user_trusted_ips.")
def testReportsErrorWhenBearerPrefixIsMissing(self):
environ = werkzeug_test.EnvironBuilder(path="/foo",
headers={
"Authorization": "blah"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response.get_data(as_text=True),
"JWT token validation failed: JWT token is missing.")
def testVerifiesTokenWithProjectIdFromDomain(self, mock_method):
environ = werkzeug_test.EnvironBuilder(headers={
"Authorization": "Bearer blah"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(mock_method.call_count, 1)
self.assertEqual(mock_method.call_args_list[0][0], ("blah", request))
self.assertEqual(mock_method.call_args_list[0][1], dict(audience="foo-bar"))
def testRejectsRequestWithEmptyUsername(self):
environ = werkzeug_test.EnvironBuilder(environ_base={
"REMOTE_ADDR": "127.0.0.1",
"HTTP_X_REMOTE_USER": ""
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response.get_data(as_text=True),
"Empty username is not allowed.")
def testPassesThroughHomepageOnVerificationFailure(self, mock_method):
_ = mock_method
environ = werkzeug_test.EnvironBuilder(headers={
"Authorization": "Bearer blah"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response, self.success_response)
def testFillsRequestUserFromTokenEmailOnSuccess(self, mock_method):
_ = mock_method
environ = werkzeug_test.EnvironBuilder(headers={
"Authorization": "Bearer blah"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
self.manager.SecurityCheck(self.HandlerStub, request)
self.assertTrue(self.checked_request)
self.assertEqual(self.checked_request.user, "*****@*****.**")
def testProcessesRequestWithEmail_configDisabled(self):
environ = werkzeug_test.EnvironBuilder(
environ_base={
"REMOTE_ADDR": "127.0.0.1",
"HTTP_X_REMOTE_USER": "******",
"HTTP_X_REMOTE_EXTRA_EMAIL": "*****@*****.**",
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertIsNone(request.email)
self.assertEqual(response, self.success_response)
def testReportsErrorIfIssuerIsWrong(self, mock_method):
_ = mock_method
environ = werkzeug_test.EnvironBuilder(path="/foo",
headers={
"Authorization":
"Bearer blah"
}).get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response.get_data(as_text=True),
"JWT token validation failed: Wrong issuer.")
def testProcessesRequestWithEmail_configEnabled(self):
environ = werkzeug_test.EnvironBuilder(
environ_base={
"REMOTE_ADDR": "127.0.0.1",
"HTTP_X_REMOTE_USER": "******",
"HTTP_X_REMOTE_EXTRA_EMAIL": "*****@*****.**",
}).get_environ()
request = wsgiapp.HttpRequest(environ)
with test_lib.ConfigOverrider({"Email.enable_custom_email_address": True}):
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(request.email, "*****@*****.**")
self.assertEqual(response, self.success_response)
def testNoHeader(self):
"""Test requests sent to the Admin UI without an IAP Header."""
environ = werkzeug_test.EnvironBuilder(path="/").get_environ()
request = wsgiapp.HttpRequest(environ)
def Handler(request, *args, **kwargs):
del request, args, kwargs # Unused.
return http_response.HttpResponse("foobar", status=200)
manager = webauth.IAPWebAuthManager()
response = manager.SecurityCheck(Handler, request)
self.assertEqual(response.status_code, 401)
def testLogHttpAdminUIAccess(self):
request = wsgiapp.HttpRequest({
"wsgi.url_scheme": "http",
"SERVER_NAME": "foo.bar",
"SERVER_PORT": "1234"
})
request.user = "******"
response = werkzeug_wrappers.Response(status=202,
headers={
"X-GRR-Reason":
"foo/test1234",
"X-API-Method": "TestMethod"
})
self.l.LogHttpAdminUIAccess(request, response)
self.assertIn("foo/test1234", self.log)
def testLogHttpAdminUIAccess(self):
request = wsgiapp.HttpRequest({
"wsgi.url_scheme": "http",
"SERVER_NAME": "foo.bar",
"SERVER_PORT": "1234"
})
request.user = "******"
response = http_response.HttpResponse(
status=202,
headers={"X-API-Method": "TestMethod"},
context=api_call_context.ApiCallContext(
username=request.user,
approval=acl_test_lib.BuildClientApprovalRequest(
reason="foo/test1234", requestor_username=request.user)))
self.l.LogHttpAdminUIAccess(request, response)
self.assertIn("foo/test1234", self.log)
def testSuccessfulKey(self, mock_method):
"""Validate account creation upon successful JWT Authentication."""
environ = werkzeug_test.EnvironBuilder(
path="/", headers={
"X-Goog-IAP-JWT-Assertion": ("valid_key")
}).get_environ()
request = wsgiapp.HttpRequest(environ)
def Handler(request, *args, **kwargs):
del args, kwargs # Unused.
self.assertEqual(request.user, "temp")
return http_response.HttpResponse("success", status=200)
manager = webauth.IAPWebAuthManager()
response = manager.SecurityCheck(Handler, request)
self.assertEqual(response.status_code, 200)
def testFailedSignatureKey(self, mock_get):
"""Test requests with an invalid JWT Token."""
mock_get.return_value.status_code = 200
mock_get.return_value.json.return_value = {
"6BEeoA":
("-----BEGIN PUBLIC KEY-----\n"
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElmi1hJdqtbvdX1INOf5B9dWvkydY\n"
"oowHUXiw8ELWzk/YHESNr8vXQoyOuLOEtLZeCQbFkeLUqxYp1sTArKNu/A==\n"
"-----END PUBLIC KEY-----\n"),
}
assertion_header = (
"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsI"
"mtpZCI6IjZCRWVvQSJ9.eyJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20"
"vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaDciLCJlbWFpbCI6ImFaaaaaaaazaaaaaaaaaaaaaaaaaaaaaa8iLCJhd"
"WQiOiIvcHJvamVjdaaaaaaaaaaaaaaaaaayaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaayOegyMzkzOTQ2NCIsImV4cCI6MTU0Njk4MDUwNiwiaWF0Ijo"
"xNTQ2OTc5OTA2LCJaaCI6InNwb3apaaaaaaaaaaaaaaapayJ9.NZwDs0U_fubYS"
"OmYNJAI9ufgoC84zXOCzZkxclWBVXhb1dBVQHpO-VZW-lworDvKxX_BWqagKYTq"
"wc4ELBcKTQ")
environ = werkzeug_test.EnvironBuilder(
path="/",
headers={
"X-Goog-IAP-JWT-Assertion": assertion_header
},
).get_environ()
request = wsgiapp.HttpRequest(environ)
def Handler(request, *args, **kwargs):
del request, args, kwargs # Unused.
self.fail("Handler shouldn't have been executed.")
manager = webauth.IAPWebAuthManager()
response = manager.SecurityCheck(Handler, request)
mock_get.assert_called_once_with(
"https://www.gstatic.com/iap/verify/public_key")
self.assertEqual(response.status_code, 401)
def testPassesThroughHomepageWhenAuthorizationHeaderIsMissing(self):
environ = werkzeug_test.EnvironBuilder().get_environ()
request = wsgiapp.HttpRequest(environ)
response = self.manager.SecurityCheck(self.HandlerStub, request)
self.assertEqual(response, self.success_response)
