def testSecurityCheckUnicode(self): user = "******" # TODO(hanuszczak): Test password with unicode characters as well. Currently # this will not work because `CryptedPassword` is broken and does not work # with unicode objects. password = "******" with aff4.FACTORY.Open("aff4:/users/%s" % user, aff4_type=aff4_users.GRRUser, mode="w", token=self.token) as fd: crypted_password = aff4_users.CryptedPassword() crypted_password.SetPassword(password.encode("utf-8")) fd.Set(fd.Schema.PASSWORD, crypted_password) token = base64.b64encode(("%s:%s" % (user, password)).encode("utf-8")) environ = werkzeug_test.EnvironBuilder(path="/foo", headers={ "Authorization": "Basic %s" % token, }).get_environ() request = wsgiapp.HttpRequest(environ) def Handler(request, *args, **kwargs): del args, kwargs # Unused. self.assertEqual(request.user, user) return werkzeug_wrappers.Response("foobar", status=200) manager = webauth.BasicWebAuthManager() response = manager.SecurityCheck(Handler, request) self.assertEqual(response.status_code, 200) self.assertEqual(response.get_data(), "foobar")
def testFailedSignatureKey(self): """Test requests with an invalid JWT Token.""" assertion_header = ( "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsI" "mtpZCI6IjZCRWVvQSJ9.eyJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20" "vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaDciLCJlbWFpbCI6ImFaaaaaaaazaaaaaaaaaaaaaaaaaaaaaa8iLCJhd" "WQiOiIvcHJvamVjdaaaaaaaaaaaaaaaaaayaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaayOegyMzkzOTQ2NCIsImV4cCI6MTU0Njk4MDUwNiwiaWF0Ijo" "xNTQ2OTc5OTA2LCJaaCI6InNwb3apaaaaaaaaaaaaaaapayJ9.NZwDs0U_fubYS" "OmYNJAI9ufgoC84zXOCzZkxclWBVXhb1dBVQHpO-VZW-lworDvKxX_BWqagKYTq" "wc4ELBcKTQ") environ = werkzeug_test.EnvironBuilder( path="/", headers={ "X-Goog-IAP-JWT-Assertion": assertion_header }, ).get_environ() request = wsgiapp.HttpRequest(environ) def Handler(request, *args, **kwargs): del request, args, kwargs # Unused. self.fail("Handler shouldn't have been executed.") manager = webauth.IAPWebAuthManager() response = manager.SecurityCheck(Handler, request) self.assertEqual(response.status_code, 401)
def testSecurityCheckUnicode(self): user = "******" # TODO(hanuszczak): Test password with unicode characters as well. Currently # this will not work because `CryptedPassword` is broken and does not work # with unicode objects. password = "******" self._SetupUser(user, password) authorization = "{user}:{password}".format(user=user, password=password) token = base64.b64encode(authorization.encode("utf-8")).decode("ascii") environ = werkzeug_test.EnvironBuilder(path="/foo", headers={ "Authorization": "Basic %s" % token, }).get_environ() request = wsgiapp.HttpRequest(environ) def Handler(request, *args, **kwargs): del args, kwargs # Unused. self.assertEqual(request.user, user) return http_response.HttpResponse(b"foobar", status=200) manager = webauth.BasicWebAuthManager() response = manager.SecurityCheck(Handler, request) self.assertEqual(response.status_code, 200) self.assertEqual(response.get_data(), b"foobar")
def testReportsErrorOnNonHomepagesWhenAuthorizationHeaderIsMissing(self): environ = werkzeug_test.EnvironBuilder(path="/foo").get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response.get_data(as_text=True), "JWT token validation failed: JWT token is missing.")
def testRejectsRequestWithoutRemoteUserHeader(self): environ = werkzeug_test.EnvironBuilder(environ_base={ "REMOTE_ADDR": "127.0.0.1" }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response.get_data(as_text=True), "No username header found.")
def testProcessesRequestWithUsernameFromTrustedIp(self): environ = werkzeug_test.EnvironBuilder(environ_base={ "REMOTE_ADDR": "127.0.0.1", "HTTP_X_REMOTE_USER": "******" }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response, self.success_response)
def testRejectsRequestFromUntrustedIp(self): environ = werkzeug_test.EnvironBuilder(environ_base={ "REMOTE_ADDR": "127.0.0.2" }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual( response.get_data(as_text=True), "Request sent from an IP not in AdminUI.remote_user_trusted_ips.")
def testReportsErrorWhenBearerPrefixIsMissing(self): environ = werkzeug_test.EnvironBuilder(path="/foo", headers={ "Authorization": "blah" }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response.get_data(as_text=True), "JWT token validation failed: JWT token is missing.")
def testVerifiesTokenWithProjectIdFromDomain(self, mock_method): environ = werkzeug_test.EnvironBuilder(headers={ "Authorization": "Bearer blah" }).get_environ() request = wsgiapp.HttpRequest(environ) self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(mock_method.call_count, 1) self.assertEqual(mock_method.call_args_list[0][0], ("blah", request)) self.assertEqual(mock_method.call_args_list[0][1], dict(audience="foo-bar"))
def testRejectsRequestWithEmptyUsername(self): environ = werkzeug_test.EnvironBuilder(environ_base={ "REMOTE_ADDR": "127.0.0.1", "HTTP_X_REMOTE_USER": "" }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response.get_data(as_text=True), "Empty username is not allowed.")
def testPassesThroughHomepageOnVerificationFailure(self, mock_method): _ = mock_method environ = werkzeug_test.EnvironBuilder(headers={ "Authorization": "Bearer blah" }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response, self.success_response)
def testFillsRequestUserFromTokenEmailOnSuccess(self, mock_method): _ = mock_method environ = werkzeug_test.EnvironBuilder(headers={ "Authorization": "Bearer blah" }).get_environ() request = wsgiapp.HttpRequest(environ) self.manager.SecurityCheck(self.HandlerStub, request) self.assertTrue(self.checked_request) self.assertEqual(self.checked_request.user, "*****@*****.**")
def testProcessesRequestWithEmail_configDisabled(self): environ = werkzeug_test.EnvironBuilder( environ_base={ "REMOTE_ADDR": "127.0.0.1", "HTTP_X_REMOTE_USER": "******", "HTTP_X_REMOTE_EXTRA_EMAIL": "*****@*****.**", }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertIsNone(request.email) self.assertEqual(response, self.success_response)
def testReportsErrorIfIssuerIsWrong(self, mock_method): _ = mock_method environ = werkzeug_test.EnvironBuilder(path="/foo", headers={ "Authorization": "Bearer blah" }).get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response.get_data(as_text=True), "JWT token validation failed: Wrong issuer.")
def testProcessesRequestWithEmail_configEnabled(self): environ = werkzeug_test.EnvironBuilder( environ_base={ "REMOTE_ADDR": "127.0.0.1", "HTTP_X_REMOTE_USER": "******", "HTTP_X_REMOTE_EXTRA_EMAIL": "*****@*****.**", }).get_environ() request = wsgiapp.HttpRequest(environ) with test_lib.ConfigOverrider({"Email.enable_custom_email_address": True}): response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(request.email, "*****@*****.**") self.assertEqual(response, self.success_response)
def testNoHeader(self): """Test requests sent to the Admin UI without an IAP Header.""" environ = werkzeug_test.EnvironBuilder(path="/").get_environ() request = wsgiapp.HttpRequest(environ) def Handler(request, *args, **kwargs): del request, args, kwargs # Unused. return http_response.HttpResponse("foobar", status=200) manager = webauth.IAPWebAuthManager() response = manager.SecurityCheck(Handler, request) self.assertEqual(response.status_code, 401)
def testLogHttpAdminUIAccess(self): request = wsgiapp.HttpRequest({ "wsgi.url_scheme": "http", "SERVER_NAME": "foo.bar", "SERVER_PORT": "1234" }) request.user = "******" response = werkzeug_wrappers.Response(status=202, headers={ "X-GRR-Reason": "foo/test1234", "X-API-Method": "TestMethod" }) self.l.LogHttpAdminUIAccess(request, response) self.assertIn("foo/test1234", self.log)
def testLogHttpAdminUIAccess(self): request = wsgiapp.HttpRequest({ "wsgi.url_scheme": "http", "SERVER_NAME": "foo.bar", "SERVER_PORT": "1234" }) request.user = "******" response = http_response.HttpResponse( status=202, headers={"X-API-Method": "TestMethod"}, context=api_call_context.ApiCallContext( username=request.user, approval=acl_test_lib.BuildClientApprovalRequest( reason="foo/test1234", requestor_username=request.user))) self.l.LogHttpAdminUIAccess(request, response) self.assertIn("foo/test1234", self.log)
def testSuccessfulKey(self, mock_method): """Validate account creation upon successful JWT Authentication.""" environ = werkzeug_test.EnvironBuilder( path="/", headers={ "X-Goog-IAP-JWT-Assertion": ("valid_key") }).get_environ() request = wsgiapp.HttpRequest(environ) def Handler(request, *args, **kwargs): del args, kwargs # Unused. self.assertEqual(request.user, "temp") return http_response.HttpResponse("success", status=200) manager = webauth.IAPWebAuthManager() response = manager.SecurityCheck(Handler, request) self.assertEqual(response.status_code, 200)
def testFailedSignatureKey(self, mock_get): """Test requests with an invalid JWT Token.""" mock_get.return_value.status_code = 200 mock_get.return_value.json.return_value = { "6BEeoA": ("-----BEGIN PUBLIC KEY-----\n" "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElmi1hJdqtbvdX1INOf5B9dWvkydY\n" "oowHUXiw8ELWzk/YHESNr8vXQoyOuLOEtLZeCQbFkeLUqxYp1sTArKNu/A==\n" "-----END PUBLIC KEY-----\n"), } assertion_header = ( "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsI" "mtpZCI6IjZCRWVvQSJ9.eyJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20" "vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaDciLCJlbWFpbCI6ImFaaaaaaaazaaaaaaaaaaaaaaaaaaaaaa8iLCJhd" "WQiOiIvcHJvamVjdaaaaaaaaaaaaaaaaaayaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaayOegyMzkzOTQ2NCIsImV4cCI6MTU0Njk4MDUwNiwiaWF0Ijo" "xNTQ2OTc5OTA2LCJaaCI6InNwb3apaaaaaaaaaaaaaaapayJ9.NZwDs0U_fubYS" "OmYNJAI9ufgoC84zXOCzZkxclWBVXhb1dBVQHpO-VZW-lworDvKxX_BWqagKYTq" "wc4ELBcKTQ") environ = werkzeug_test.EnvironBuilder( path="/", headers={ "X-Goog-IAP-JWT-Assertion": assertion_header }, ).get_environ() request = wsgiapp.HttpRequest(environ) def Handler(request, *args, **kwargs): del request, args, kwargs # Unused. self.fail("Handler shouldn't have been executed.") manager = webauth.IAPWebAuthManager() response = manager.SecurityCheck(Handler, request) mock_get.assert_called_once_with( "https://www.gstatic.com/iap/verify/public_key") self.assertEqual(response.status_code, 401)
def testPassesThroughHomepageWhenAuthorizationHeaderIsMissing(self): environ = werkzeug_test.EnvironBuilder().get_environ() request = wsgiapp.HttpRequest(environ) response = self.manager.SecurityCheck(self.HandlerStub, request) self.assertEqual(response, self.success_response)