Example #1
0
    def create_digest(self, username, api_key, method, uri):
        """
        Creates & returns the HTTP ``Authorization`` header for use with Digest
        Auth.
        """
        from tastypie.authentication import hmac, sha1, uuid, python_digest

        new_uuid = uuid.uuid4()
        opaque = hmac.new(
            str(new_uuid).encode('utf-8'), digestmod=sha1
        ).hexdigest().decode('utf-8')
        return python_digest.build_authorization_request(
            username,
            method.upper(),
            uri,
            1,  # nonce_count
            digest_challenge=python_digest.build_digest_challenge(
                time.time(),
                getattr(settings, 'SECRET_KEY', ''),
                'django-tastypie',
                opaque,
                False
            ),
            password=api_key
        )
    def test_whitelisting(self):
        auth = DigestAuthentication(whitelisted_methods=['a_method'])
        request = HttpRequest()

        # Simulate sending the signal.
        john_doe = User.objects.get(username='******')
        create_api_key(User, instance=john_doe, created=True)

        # Calling with a whitelisted method_name without credentials should work
        self.assertEqual(auth.is_authenticated(request, method_name='a_method'), True)
        
        # Calling any other method should require the Api Key
        self.assertEqual(isinstance(auth.is_authenticated(request, method_name='another_method'), HttpUnauthorized), True)

        # Correct digest
        john_doe = User.objects.get(username='******')
        request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
            john_doe.username,
            request.method,
            '/', # uri
            1,   # nonce_count
            digest_challenge=auth.is_authenticated(request)['WWW-Authenticate'],
            password=john_doe.api_key.key
        )
        self.assertEqual(auth.is_authenticated(request, method_name="another_method"), True)
        self.assertEqual(auth.is_authenticated(request, method_name="a_method"), True)
    def test_check_active_false(self):
        auth = DigestAuthentication(require_active=False)
        request = HttpRequest()

        bob_doe = User.objects.get(username='******')
        create_api_key(User, instance=bob_doe, created=True)
        auth_request = auth.is_authenticated(request)
        request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
            username=bob_doe.username,
            method=request.method,
            uri='/',
            nonce_count=1,
            digest_challenge=python_digest.parse_digest_challenge(auth_request['WWW-Authenticate']),
            password=bob_doe.api_key.key
        )
        auth_request = auth.is_authenticated(request)
        self.assertTrue(auth_request, True)
Example #4
0
    def test_check_active_true(self):
        auth = DigestAuthentication()
        request = HttpRequest()

        bob_doe = User.objects.get(username='******')
        create_api_key(User, instance=bob_doe, created=True)
        auth_request = auth.is_authenticated(request)
        request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
            bob_doe.username,
            request.method,
            '/', # uri
            1,   # nonce_count
            digest_challenge=auth_request['WWW-Authenticate'],
            password=bob_doe.api_key.key
        )
        auth_request = auth.is_authenticated(request)
        self.assertFalse(auth_request)
    def test_check_active_true(self):
        auth = DigestAuthentication()
        request = HttpRequest()

        bob_doe = User.objects.get(username="******")
        create_api_key(User, instance=bob_doe, created=True)
        auth_request = auth.is_authenticated(request)
        request.META["HTTP_AUTHORIZATION"] = python_digest.build_authorization_request(
            username=bob_doe.username,
            method=request.method,
            uri="/",
            nonce_count=1,
            digest_challenge=python_digest.parse_digest_challenge(auth_request["WWW-Authenticate"]),
            password=bob_doe.api_key.key,
        )
        auth_request = auth.is_authenticated(request)
        self.assertFalse(auth_request)
Example #6
0
    def create_digest(self, username, api_key, method, uri):
        """
        Creates & returns the HTTP ``Authorization`` header for use with Digest
        Auth.
        """
        from tastypie.authentication import hmac, sha1, uuid, python_digest

        new_uuid = uuid.uuid4()
        opaque = hmac.new(str(new_uuid), digestmod=sha1).hexdigest()
        return python_digest.build_authorization_request(
            username,
            method.upper(),
            uri,
            1, # nonce_count
            digest_challenge=python_digest.build_digest_challenge(time.time(), getattr(settings, 'SECRET_KEY', ''), 'django-tastypie', opaque, False),
            password=api_key
        )
Example #7
0
    def test_check_active_false(self):
        auth = DigestAuthentication(require_active=False)
        request = HttpRequest()

        bob_doe = User.objects.get(username='******')
        create_api_key(User, instance=bob_doe, created=True)
        auth_request = auth.is_authenticated(request)
        request.META[
            'HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
                bob_doe.username,
                request.method,
                '/',  # uri
                1,  # nonce_count
                digest_challenge=auth_request['WWW-Authenticate'],
                password=bob_doe.api_key.key)
        auth_request = auth.is_authenticated(request)
        self.assertTrue(auth_request, True)
    def test_check_active_true(self):
        auth = DigestAuthentication()
        request = HttpRequest()

        bob_doe = User.objects.get(username='******')
        create_api_key(User, instance=bob_doe, created=True)
        auth_request = auth.is_authenticated(request)
        request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
            username=bob_doe.username,
            method=request.method,
            uri='/',
            nonce_count=1,
            digest_challenge=python_digest.parse_digest_challenge(auth_request['WWW-Authenticate']),
            password=bob_doe.api_key.key
        )
        auth_request = auth.is_authenticated(request)
        self.assertFalse(auth_request)
    def test_is_authenticated(self):
        auth = DigestAuthentication()
        request = HttpRequest()

        # Simulate sending the signal.
        john_doe = User.objects.get(username='******')
        create_api_key(User, instance=john_doe, created=True)

        # No HTTP Basic auth details should fail.
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # HttpUnauthorized with auth type and realm
        self.assertEqual(auth_request['WWW-Authenticate'].find('Digest'), 0)
        self.assertEqual(auth_request['WWW-Authenticate'].find(' realm="django-tastypie"') > 0, True)
        self.assertEqual(auth_request['WWW-Authenticate'].find(' opaque=') > 0, True)
        self.assertEqual(auth_request['WWW-Authenticate'].find('nonce=') > 0, True)

        # Wrong basic auth details.
        request.META['HTTP_AUTHORIZATION'] = 'abcdefg'
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # No password.
        request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel'.encode('utf-8')).decode('utf-8')
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # Wrong user/password.
        request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel:pass'.encode('utf-8')).decode('utf-8')
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # Correct user/password.
        john_doe = User.objects.get(username='******')
        request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
            username=john_doe.username,
            method=request.method,
            uri='/',
            nonce_count=1,
            digest_challenge=python_digest.parse_digest_challenge(auth_request['WWW-Authenticate']),
            password=john_doe.api_key.key
        )
        auth_request = auth.is_authenticated(request)
        self.assertEqual(auth_request, True)
    def test_is_authenticated(self):
        auth = DigestAuthentication()
        request = HttpRequest()

        # Simulate sending the signal.
        john_doe = User.objects.get(username="******")
        create_api_key(User, instance=john_doe, created=True)

        # No HTTP Basic auth details should fail.
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # HttpUnauthorized with auth type and realm
        self.assertEqual(auth_request["WWW-Authenticate"].find("Digest"), 0)
        self.assertEqual(auth_request["WWW-Authenticate"].find(' realm="django-tastypie"') > 0, True)
        self.assertEqual(auth_request["WWW-Authenticate"].find(" opaque=") > 0, True)
        self.assertEqual(auth_request["WWW-Authenticate"].find("nonce=") > 0, True)

        # Wrong basic auth details.
        request.META["HTTP_AUTHORIZATION"] = "abcdefg"
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # No password.
        request.META["HTTP_AUTHORIZATION"] = base64.b64encode("daniel")
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # Wrong user/password.
        request.META["HTTP_AUTHORIZATION"] = base64.b64encode("daniel:pass")
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # Correct user/password.
        john_doe = User.objects.get(username="******")
        request.META["HTTP_AUTHORIZATION"] = python_digest.build_authorization_request(
            john_doe.username,
            request.method,
            "/",  # uri
            1,  # nonce_count
            digest_challenge=auth_request["WWW-Authenticate"],
            password=john_doe.api_key.key,
        )
        auth_request = auth.is_authenticated(request)
        self.assertEqual(auth_request, True)
Example #11
0
    def test_is_authenticated(self):
        auth = DigestAuthentication()
        request = HttpRequest()

        # Simulate sending the signal.
        john_doe = User.objects.get(username='******')
        create_api_key(User, instance=john_doe, created=True)

        # No HTTP Basic auth details should fail.
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # HttpUnauthorized with auth type and realm
        self.assertEqual(auth_request['WWW-Authenticate'].find('Digest'), 0)
        self.assertEqual(auth_request['WWW-Authenticate'].find(' realm="django-tastypie"') > 0, True)
        self.assertEqual(auth_request['WWW-Authenticate'].find(' opaque=') > 0, True)
        self.assertEqual(auth_request['WWW-Authenticate'].find('nonce=') > 0, True)

        # Wrong basic auth details.
        request.META['HTTP_AUTHORIZATION'] = 'abcdefg'
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # No password.
        request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel')
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # Wrong user/password.
        request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel:pass')
        auth_request = auth.is_authenticated(request)
        self.assertEqual(isinstance(auth_request, HttpUnauthorized), True)

        # Correct user/password.
        john_doe = User.objects.get(username='******')
        request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
            john_doe.username,
            request.method,
            '/', # uri
            1,   # nonce_count
            digest_challenge=auth_request['WWW-Authenticate'],
            password=john_doe.api_key.key
        )
        auth_request = auth.is_authenticated(request)
        self.assertEqual(auth_request, True)
Example #12
0
    def test_check_active_false(self):
        if django.VERSION >= (1, 10):
            # Authenticating inactive users via ModelUserBackend not supported for Django >= 1.10"
            return
        auth = DigestAuthentication(require_active=False)
        request = HttpRequest()

        bob_doe = User.objects.get(username='******')
        create_api_key(User, instance=bob_doe, created=True)
        auth_request = auth.is_authenticated(request)
        request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request(
            bob_doe.username,
            request.method,
            '/', # uri
            1,   # nonce_count
            digest_challenge=auth_request['WWW-Authenticate'],
            password=bob_doe.api_key.key
        )
        auth_request = auth.is_authenticated(request)
        self.assertTrue(auth_request, True)