def check(self, token) -> bool:
log("check(%s)", repr(token))
assert self.challenge_sent
try:
from gssapi import creds as gsscreds
from gssapi import sec_contexts as gssctx
except ImportError as e:
log("check(..)", exc_info=True)
log.warn("Warning: cannot use gss authentication:")
log.warn(" %s", e)
return False
server_creds = gsscreds.Credentials(usage='accept')
server_ctx = gssctx.SecurityContext(creds=server_creds)
server_ctx.step(token)
return server_ctx.complete
def test_defer_step_error_on_method(self):
gssctx.SecurityContext.__DEFER_STEP_ERRORS__ = True
bdgs = gb.ChannelBindings(application_data=b'abcxyz')
client_ctx = self._create_client_ctx(lifetime=400,
channel_bindings=bdgs)
client_token = client_ctx.step()
self.assertIsInstance(client_token, bytes)
bdgs.application_data = b'defuvw'
server_ctx = gssctx.SecurityContext(creds=self.server_creds,
channel_bindings=bdgs)
self.assertIsInstance(server_ctx.step(client_token), bytes)
self.assertRaises(gb.BadChannelBindingsError, server_ctx.encrypt,
b"test")
def test_bad_channel_bindings_raises_error(self):
bdgs = gb.ChannelBindings(application_data=b'abcxyz',
initiator_address_type=gb.AddressType.ip,
initiator_address=b'127.0.0.1',
acceptor_address_type=gb.AddressType.ip,
acceptor_address=b'127.0.0.1')
client_ctx = self._create_client_ctx(lifetime=400,
channel_bindings=bdgs)
client_token = client_ctx.step()
client_token.should_be_a(bytes)
bdgs.acceptor_address = b'127.0.1.0'
server_ctx = gssctx.SecurityContext(creds=self.server_creds,
channel_bindings=bdgs)
server_ctx.step.should_raise(gb.BadChannelBindingsError, client_token)
def test_defer_step_error_on_complete_property_access(self):
gssctx.SecurityContext.__DEFER_STEP_ERRORS__ = True
bdgs = gb.ChannelBindings(application_data=b'abcxyz')
client_ctx = self._create_client_ctx(lifetime=400,
channel_bindings=bdgs)
client_token = client_ctx.step()
client_token.should_be_a(bytes)
bdgs.application_data = b'defuvw'
server_ctx = gssctx.SecurityContext(creds=self.server_creds,
channel_bindings=bdgs)
server_ctx.step(client_token).should_be_a(bytes)
def check_complete():
return server_ctx.complete
check_complete.should_raise(gb.BadChannelBindingsError)
def test_channel_bindings(self):
bdgs = gb.ChannelBindings(application_data=b'abcxyz',
initiator_address_type=gb.AddressType.ip,
initiator_address=b'127.0.0.1',
acceptor_address_type=gb.AddressType.ip,
acceptor_address=b'127.0.0.1')
client_ctx = self._create_client_ctx(lifetime=400,
channel_bindings=bdgs)
client_token = client_ctx.step()
self.assertIsInstance(client_token, bytes)
server_ctx = gssctx.SecurityContext(creds=self.server_creds,
channel_bindings=bdgs)
server_token = server_ctx.step(client_token)
self.assertIsInstance(server_token, bytes)
client_ctx.step(server_token)
def create_sec_context():
gssctx.SecurityContext(usage='accept', name=self.target_name)
def test_create_new_accept(self):
server_ctx = gssctx.SecurityContext(creds=self.server_creds)
server_ctx.usage.should_be('accept')
def test_create_from_other(self):
raw_client_ctx, raw_server_ctx = self._create_completed_contexts()
high_level_ctx = gssctx.SecurityContext(raw_client_ctx)
high_level_ctx.target_name.should_be(self.target_name)
def _create_client_ctx(self, **kwargs):
return gssctx.SecurityContext(name=self.target_name, **kwargs)
def test_create_new_accept(self):
server_ctx = gssctx.SecurityContext(creds=self.server_creds)
self.assertEqual(server_ctx.usage, "accept")
