def test_authentication_with_far_future_timestamp_fails(self): session = self._start_session() req = Request.blank("/") ts = str(int(time.time() + 1000)) req.authorization = ("OAuth", {"oauth_timestamp": ts}) sign_request(req, **session) self.app.request(req, status=401)
def test_authentication_without_nonce_fails(self): session = self._start_session() req = Request.blank("/") sign_request(req, **session) authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace("nonce", "typonce") req.environ["HTTP_AUTHORIZATION"] = authz self.app.request(req, status=401)
def test_authentication_with_plaintext_sig_method_fails(self): session = self._start_session() req = Request.blank("/") sign_request(req, **session) authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace("HMAC-SHA1", "PLAINTEXT") req.environ["HTTP_AUTHORIZATION"] = authz self.app.request(req, status=401)
def test_authentication_with_busted_token_fails(self): session = self._start_session() req = Request.blank("/") sign_request(req, **session) token = parse_authz_header(req)["oauth_consumer_key"] authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace(token, "XXX" + token) req.environ["HTTP_AUTHORIZATION"] = authz self.app.request(req, status=401)
def test_authentication_with_busted_signature_fails(self): session = self._start_session() req = Request.blank("/") sign_request(req, **session) signature = parse_authz_header(req)["mac"] authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace(signature, "XXX" + signature) req.environ["HTTP_AUTHORIZATION"] = authz self.app.request(req, status=401)
def test_authentication_with_reused_nonce_fails(self): session = self._start_session() # First request with that nonce should succeed. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) sign_request(req, **session) r = self.app.request(req) self.assertEquals(r.body, "*****@*****.**") # Second request with that nonce should fail. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) sign_request(req, **session) self.app.request(req, status=401)
def test_authentication_with_far_future_timestamp_fails(self): session = self._start_session() req = Request.blank("/") # Do an initial request so that the server can # calculate and cache our clock skew. ts = str(int(time.time())) req.authorization = ("MAC", {"ts": ts}) sign_request(req, **session) self.app.request(req, status=200) # Now do one with a far future timestamp. ts = str(int(time.time() + 1000)) req.authorization = ("MAC", {"ts": ts}) sign_request(req, **session) self.app.request(req, status=401)
def test_access_to_public_urls(self): # Request with no credentials is allowed access. req = Request.blank("/public") resp = self.app.request(req) self.assertEquals(resp.body, "public") # Request with valid credentials is allowed access. session = self._start_session() req = Request.blank("/public") sign_request(req, **session) resp = self.app.request(req) self.assertEquals(resp.body, "public") # Request with invalid credentials gets a 401. req = Request.blank("/public") sign_request(req, **session) signature = parse_authz_header(req)["mac"] authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace(signature, "XXX" + signature) req.environ["HTTP_AUTHORIZATION"] = authz resp = self.app.request(req, status=401)
def test_authenticated_request_works(self): session = self._start_session() req = Request.blank("/") sign_request(req, **session) r = self.app.request(req) self.assertEquals(r.body, "*****@*****.**")
def test_sign_request_throws_away_other_auth_params(self): req = Request.blank("/") req.authorization = ("Digest", {"response": "helloworld"}) sign_request(req, "token", "secret") self.assertEquals(req.authorization[0], "MAC")
def test_sign_request_throws_away_other_auth_params(self): req = Request.blank("/") req.authorization = ("Digest", {"response": "helloworld"}) sign_request(req, "token", "secret") self.assertEquals(req.authorization[0], "OAuth")