Example #1
0
 def test_authentication_with_far_future_timestamp_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     ts = str(int(time.time() + 1000))
     req.authorization = ("OAuth", {"oauth_timestamp": ts})
     sign_request(req, **session)
     self.app.request(req, status=401)
Example #2
0
 def test_authentication_without_nonce_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace("nonce", "typonce")
     req.environ["HTTP_AUTHORIZATION"] = authz
     self.app.request(req, status=401)
Example #3
0
 def test_authentication_without_nonce_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace("nonce", "typonce")
     req.environ["HTTP_AUTHORIZATION"] = authz
     self.app.request(req, status=401)
Example #4
0
 def test_authentication_with_plaintext_sig_method_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace("HMAC-SHA1", "PLAINTEXT")
     req.environ["HTTP_AUTHORIZATION"] = authz
     self.app.request(req, status=401)
Example #5
0
 def test_authentication_with_busted_token_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     token = parse_authz_header(req)["oauth_consumer_key"]
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace(token, "XXX" + token)
     req.environ["HTTP_AUTHORIZATION"] = authz
     self.app.request(req, status=401)
Example #6
0
 def test_authentication_with_busted_signature_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     signature = parse_authz_header(req)["mac"]
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace(signature, "XXX" + signature)
     req.environ["HTTP_AUTHORIZATION"] = authz
     self.app.request(req, status=401)
Example #7
0
 def test_authentication_with_busted_signature_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     signature = parse_authz_header(req)["mac"]
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace(signature, "XXX" + signature)
     req.environ["HTTP_AUTHORIZATION"] = authz
     self.app.request(req, status=401)
Example #8
0
 def test_authentication_with_reused_nonce_fails(self):
     session = self._start_session()
     # First request with that nonce should succeed.
     req = Request.blank("/")
     req.authorization = ("MAC", {"nonce": "PEPPER"})
     sign_request(req, **session)
     r = self.app.request(req)
     self.assertEquals(r.body, "*****@*****.**")
     # Second request with that nonce should fail.
     req = Request.blank("/")
     req.authorization = ("MAC", {"nonce": "PEPPER"})
     sign_request(req, **session)
     self.app.request(req, status=401)
Example #9
0
 def test_authentication_with_reused_nonce_fails(self):
     session = self._start_session()
     # First request with that nonce should succeed.
     req = Request.blank("/")
     req.authorization = ("MAC", {"nonce": "PEPPER"})
     sign_request(req, **session)
     r = self.app.request(req)
     self.assertEquals(r.body, "*****@*****.**")
     # Second request with that nonce should fail.
     req = Request.blank("/")
     req.authorization = ("MAC", {"nonce": "PEPPER"})
     sign_request(req, **session)
     self.app.request(req, status=401)
Example #10
0
 def test_authentication_with_far_future_timestamp_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     # Do an initial request so that the server can
     # calculate and cache our clock skew.
     ts = str(int(time.time()))
     req.authorization = ("MAC", {"ts": ts})
     sign_request(req, **session)
     self.app.request(req, status=200)
     # Now do one with a far future timestamp.
     ts = str(int(time.time() + 1000))
     req.authorization = ("MAC", {"ts": ts})
     sign_request(req, **session)
     self.app.request(req, status=401)
Example #11
0
 def test_authentication_with_far_future_timestamp_fails(self):
     session = self._start_session()
     req = Request.blank("/")
     # Do an initial request so that the server can
     # calculate and cache our clock skew.
     ts = str(int(time.time()))
     req.authorization = ("MAC", {"ts": ts})
     sign_request(req, **session)
     self.app.request(req, status=200)
     # Now do one with a far future timestamp.
     ts = str(int(time.time() + 1000))
     req.authorization = ("MAC", {"ts": ts})
     sign_request(req, **session)
     self.app.request(req, status=401)
Example #12
0
 def test_access_to_public_urls(self):
     # Request with no credentials is allowed access.
     req = Request.blank("/public")
     resp = self.app.request(req)
     self.assertEquals(resp.body, "public")
     # Request with valid credentials is allowed access.
     session = self._start_session()
     req = Request.blank("/public")
     sign_request(req, **session)
     resp = self.app.request(req)
     self.assertEquals(resp.body, "public")
     # Request with invalid credentials gets a 401.
     req = Request.blank("/public")
     sign_request(req, **session)
     signature = parse_authz_header(req)["mac"]
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace(signature, "XXX" + signature)
     req.environ["HTTP_AUTHORIZATION"] = authz
     resp = self.app.request(req, status=401)
Example #13
0
 def test_access_to_public_urls(self):
     # Request with no credentials is allowed access.
     req = Request.blank("/public")
     resp = self.app.request(req)
     self.assertEquals(resp.body, "public")
     # Request with valid credentials is allowed access.
     session = self._start_session()
     req = Request.blank("/public")
     sign_request(req, **session)
     resp = self.app.request(req)
     self.assertEquals(resp.body, "public")
     # Request with invalid credentials gets a 401.
     req = Request.blank("/public")
     sign_request(req, **session)
     signature = parse_authz_header(req)["mac"]
     authz = req.environ["HTTP_AUTHORIZATION"]
     authz = authz.replace(signature, "XXX" + signature)
     req.environ["HTTP_AUTHORIZATION"] = authz
     resp = self.app.request(req, status=401)
Example #14
0
 def test_authenticated_request_works(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     r = self.app.request(req)
     self.assertEquals(r.body, "*****@*****.**")
Example #15
0
 def test_sign_request_throws_away_other_auth_params(self):
     req = Request.blank("/")
     req.authorization = ("Digest", {"response": "helloworld"})
     sign_request(req, "token", "secret")
     self.assertEquals(req.authorization[0], "MAC")
Example #16
0
 def test_sign_request_throws_away_other_auth_params(self):
     req = Request.blank("/")
     req.authorization = ("Digest", {"response": "helloworld"})
     sign_request(req, "token", "secret")
     self.assertEquals(req.authorization[0], "OAuth")
Example #17
0
 def test_authenticated_request_works(self):
     session = self._start_session()
     req = Request.blank("/")
     sign_request(req, **session)
     r = self.app.request(req)
     self.assertEquals(r.body, "*****@*****.**")