def createDocumentRoot(self): docroot = self.mktemp() os.mkdir(docroot) userResource = TestDAVPrincipalResource("/principals/users/user01") userResource.writeDeadProperty(TwistedPasswordProperty("user01")) principalCollection = TestPrincipalsCollection( "/principals/", children={"users": TestPrincipalsCollection( "/principals/users/", children={"user01": userResource})}) rootResource = self.resource_class( docroot, principalCollections=(principalCollection,)) portal = Portal(DavRealm()) portal.registerChecker(TwistedPropertyChecker()) credentialFactories = (basic.BasicCredentialFactory(""),) loginInterfaces = (IPrincipal,) self.site = Site(AuthenticationWrapper( rootResource, portal, credentialFactories, credentialFactories, loginInterfaces )) rootResource.setAccessControlList(self.grant(element.All())) for name, acl in ( ("none" , self.grant()), ("read" , self.grant(element.Read())), ("read-write" , self.grant(element.Read(), element.Write())), ("unlock" , self.grant(element.Unlock())), ("all" , self.grant(element.All())), ): filename = os.path.join(docroot, name) if not os.path.isfile(filename): file(filename, "w").close() resource = self.resource_class(filename) resource.setAccessControlList(acl) for name, acl in ( ("nobind" , self.grant()), ("bind" , self.grant(element.Bind())), ("unbind" , self.grant(element.Bind(), element.Unbind())), ): dirname = os.path.join(docroot, name) if not os.path.isdir(dirname): os.mkdir(dirname) resource = self.resource_class(dirname) resource.setAccessControlList(acl) return docroot
def test_basicAuthPrevention(self): """ Ensure authentication factories which are not safe to use over an "unencrypted wire" are not advertised when an insecure (i.e. non-SSL connection is made. """ FakeFactory = collections.namedtuple("FakeFactory", ("scheme,")) wireEncryptedfactories = [FakeFactory("basic"), FakeFactory("digest"), FakeFactory("xyzzy")] wireUnencryptedfactories = [FakeFactory("digest"), FakeFactory("xyzzy")] class FakeChannel(object): def __init__(self, secure): self.secure = secure def getHostInfo(self): return "ignored", self.secure class FakeRequest(object): def __init__(self, secure): self.portal = None self.loginInterfaces = None self.credentialFactories = None self.chanRequest = FakeChannel(secure) wrapper = AuthenticationWrapper(None, None, wireEncryptedfactories, wireUnencryptedfactories, None) req = FakeRequest(True) # Connection is over SSL wrapper.hook(req) self.assertEquals( set(req.credentialFactories.keys()), set(["basic", "digest", "xyzzy"]) ) req = FakeRequest(False) # Connection is not over SSL wrapper.hook(req) self.assertEquals( set(req.credentialFactories.keys()), set(["digest", "xyzzy"]) )
def setUp(self): TestCase.setUp(self) gooduser = TestDAVPrincipalResource("/users/gooduser") gooduser.writeDeadProperty(TwistedPasswordProperty("goodpass")) baduser = TestDAVPrincipalResource("/users/baduser") baduser.writeDeadProperty(TwistedPasswordProperty("badpass")) rootresource = TestPrincipalsCollection( "/", { "users": TestResource("/users/", { "gooduser": gooduser, "baduser": baduser }) }) protected = TestResource("/protected", principalCollections=[rootresource]) protected.setAccessControlList( davxml.ACL( davxml.ACE(davxml.Principal(davxml.HRef("/users/gooduser")), davxml.Grant(davxml.Privilege(davxml.All())), davxml.Protected()))) rootresource.children["protected"] = protected portal = Portal(DavRealm()) portal.registerChecker(TwistedPropertyChecker()) credentialFactories = (basic.BasicCredentialFactory(""), ) loginInterfaces = (IPrincipal, ) self.rootresource = rootresource self.site = Site( AuthenticationWrapper( self.rootresource, portal, credentialFactories, credentialFactories, loginInterfaces, ))
def test_basicAuthPrevention(self): """ Ensure authentication factories which are not safe to use over an "unencrypted wire" are not advertised when an insecure (i.e. non-SSL connection is made. """ FakeFactory = collections.namedtuple("FakeFactory", ("scheme,")) wireEncryptedfactories = [ FakeFactory("basic"), FakeFactory("digest"), FakeFactory("xyzzy") ] wireUnencryptedfactories = [ FakeFactory("digest"), FakeFactory("xyzzy") ] class FakeChannel(object): def __init__(self, secure): self.secure = secure def getHostInfo(self): return "ignored", self.secure class FakeRequest(object): def __init__(self, secure): self.portal = None self.loginInterfaces = None self.credentialFactories = None self.chanRequest = FakeChannel(secure) wrapper = AuthenticationWrapper(None, None, wireEncryptedfactories, wireUnencryptedfactories, None) req = FakeRequest(True) # Connection is over SSL wrapper.hook(req) self.assertEquals(set(req.credentialFactories.keys()), set(["basic", "digest", "xyzzy"])) req = FakeRequest(False) # Connection is not over SSL wrapper.hook(req) self.assertEquals(set(req.credentialFactories.keys()), set(["digest", "xyzzy"]))