def test(self): # Create a request message with simple registration fields sreg_req = sreg.SRegRequest(required=['nickname', 'email'], optional=['fullname']) req_msg = Message() req_msg.updateArgs(sreg.ns_uri, sreg_req.getExtensionArgs()) req = OpenIDRequest() req.message = req_msg req.namespace = req_msg.getOpenIDNamespace() # -> send checkid_* request # Create an empty response message resp_msg = Message() resp = OpenIDResponse(req) resp.fields = resp_msg # Put the requested data fields in the response message sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, data) resp.addExtension(sreg_resp) # <- send id_res response # Extract the fields that were sent sreg_data_resp = resp_msg.getArgs(sreg.ns_uri) self.failUnlessEqual( {'nickname':'linusaur', 'email':'*****@*****.**', 'fullname':'Leonhard Euler', }, sreg_data_resp)
def make_response_ax(self, schema="http://axschema.org/", fullname="Some User", nickname="someuser", email="*****@*****.**", first=None, last=None, verified=False): endpoint = OpenIDServiceEndpoint() message = Message(OPENID2_NS) attributes = [("nickname", schema + "namePerson/friendly", nickname), ("fullname", schema + "namePerson", fullname), ("email", schema + "contact/email", email), ("account_verified", "http://ns.login.ubuntu.com/2013/validation/account", "token_via_email" if verified else "no")] if first: attributes.append( ("first", "http://axschema.org/namePerson/first", first)) if last: attributes.append( ("last", "http://axschema.org/namePerson/last", last)) message.setArg(AX_NS, "mode", "fetch_response") for (alias, uri, value) in attributes: message.setArg(AX_NS, "type.%s" % alias, uri) message.setArg(AX_NS, "value.%s" % alias, value) return SuccessResponse(endpoint, message, signed_fields=message.toPostArgs().keys())
def testNotAllowed(self): """ Test the case where an unsupported-type response specifies a preferred (assoc_type, session_type) combination that is not allowed by the consumer's SessionNegotiator. """ allowed_types = [] negotiator = association.SessionNegotiator(allowed_types) self.consumer.negotiator = negotiator msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'not-allowed') msg.setArg(OPENID_NS, 'session_type', 'not-allowed') self.consumer.return_messages = [msg] with LogCapture() as logbook: self.assertIsNone( self.consumer._negotiateAssociation(self.endpoint)) unsupported_msg = StringComparison( 'Server sent unsupported session/association type: .*') logbook.check(('openid.consumer.consumer', 'ERROR', StringComparison('Unsupported association type .*')), ('openid.consumer.consumer', 'ERROR', unsupported_msg))
def test_setOpenIDNamespace_deprecated(self): message = Message() warning_msg = "Method 'setOpenIDNamespace' is deprecated. Pass namespace to Message constructor instead." with ShouldWarn(DeprecationWarning(warning_msg)): warnings.simplefilter('always') message.setOpenIDNamespace(OPENID2_NS, False) self.assertEqual(message.getOpenIDNamespace(), OPENID2_NS)
def testBadResponse(self): self.consumer.return_messages = [ Message(self.endpoint.preferredNamespace()) ] self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) self.failUnlessLogMatches( 'Server error when requesting an association')
def testBadResponse(self): """ Test the case where the response to an associate request is a server error or is otherwise undecipherable. """ self.consumer.return_messages = [Message(self.endpoint.preferredNamespace())] self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) self.failUnlessLogMatches('Server error when requesting an association')
def setUp(self): self.message = m = Message(OPENID2_NS) m.updateArgs(OPENID2_NS, {'mode': 'id_res', 'identifier': '=example'}) m.updateArgs(BARE_NS, {'xey': 'value'}) self.args = {'openid.mode': 'id_res', 'openid.identifier': '=example', 'xey': 'value'}
def testUnsupportedWithRetryAndFail(self): """ Test the case where an unsupported-typ response triggers a retry, but the retry fails and None is returned instead. """ msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') self.consumer.return_messages = [msg, Message(self.endpoint.preferredNamespace())] self.failUnlessEqual(self.consumer._negotiateAssociation(self.endpoint), None) self.failUnlessLogMatches('Unsupported association type', 'Server %s refused' % (self.endpoint.server_url))
def create_sreg_response(self, fullname='', email='', identifier=''): message = Message(OPENID2_NS) message.setArg(SREG_NS, "fullname", fullname) message.setArg(SREG_NS, "email", email) endpoint = OpenIDServiceEndpoint() endpoint.display_identifier = identifier return SuccessResponse(endpoint, message, signed_fields=message.toPostArgs().keys())
def test_aintGotSignedList(self): m = Message(OPENID2_NS) m.updateArgs(OPENID2_NS, {'mode': 'id_res', 'identifier': '=example', 'sig': 'coyote', }) m.updateArgs(BARE_NS, {'xey': 'value'}) assoc = association.Association.fromExpiresIn(3600, '{sha1}', b'very_secret', "HMAC-SHA1") self.assertRaises(ValueError, assoc.checkMessageSignature, m)
def testBadResponse(self): """ Test the case where the response to an associate request is a server error or is otherwise undecipherable. """ self.consumer.return_messages = [Message(self.endpoint.preferredNamespace())] with LogCapture() as logbook: self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) logbook.check( ('openid.consumer.consumer', 'ERROR', StringComparison('Server error when requesting an association .*')))
def testUnsupportedWithRetryAndFail(self): """ Test the case where an unsupported-typ response triggers a retry, but the retry fails and None is returned instead. """ msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') self.consumer.return_messages = [msg, Message(self.endpoint.preferredNamespace())] with LogCapture() as logbook: self.assertIsNone(self.consumer._negotiateAssociation(self.endpoint)) refused_msg = StringComparison('Server %s refused its .*' % self.endpoint.server_url) logbook.check(('openid.consumer.consumer', 'WARNING', StringComparison('Unsupported association type .*')), ('openid.consumer.consumer', 'ERROR', refused_msg))
def setUp(self): self.message = m = Message(OPENID2_NS) m.updateArgs(OPENID2_NS, { 'mode': 'id_res', 'identifier': '=example', 'signed': 'identifier,mode', 'sig': 'cephalopod', }) m.updateArgs(BARE_NS, {'xey': 'value'}) self.assoc = association.Association.fromExpiresIn(3600, '{sha1}', b'very_secret', "HMAC-SHA1")
def testEmptySessionType(self): msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'new-assoc-type') # not set: msg.setArg(OPENID_NS, 'session_type', None) self.consumer.return_messages = [msg] self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) self.failUnlessLogMatches('Server error when requesting an association')
def testBadResponse(self): self.consumer.return_messages = [ Message(self.endpoint.preferredNamespace()) ] with LogCapture() as logbook: self.assertIsNone( self.consumer._negotiateAssociation(self.endpoint)) logbook.check( ('openid.consumer.consumer', 'ERROR', StringComparison('Server error when requesting an association .*') ))
def testEmptySessionType(self): msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'new-assoc-type') # not set: msg.setArg(OPENID_NS, 'session_type', None) self.consumer.return_messages = [msg] with LogCapture() as logbook: self.assertIsNone(self.consumer._negotiateAssociation(self.endpoint)) logbook.check( ('openid.consumer.consumer', 'ERROR', StringComparison('Server error when requesting an association .*')))
def test_isOpenID1(self): v1_namespaces = [ # Yes, there are two of them. 'http://openid.net/signon/1.1', 'http://openid.net/signon/1.0', ] for ns in v1_namespaces: m = Message(ns) self.assertTrue(m.isOpenID1(), "%r not recognized as OpenID 1" % ns) self.assertEqual(m.getOpenIDNamespace(), ns) self.assertTrue(m.namespaces.isImplicit(ns))
def test_extract_user_details_sreg(self): endpoint = OpenIDServiceEndpoint() message = Message(OPENID2_NS) message.setArg(SREG_NS, "nickname", "someuser") message.setArg(SREG_NS, "fullname", "Some User") message.setArg(SREG_NS, "email", "*****@*****.**") response = SuccessResponse( endpoint, message, signed_fields=message.toPostArgs().keys()) data = self.backend._extract_user_details(response) self.assertEqual(data, {"nickname": "someuser", "first_name": "Some", "last_name": "User", "email": "*****@*****.**"})
def testUnsupportedWithRetry(self): msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') assoc = association.Association( 'handle', 'secret', 'issued', 10000, 'HMAC-SHA1') self.consumer.return_messages = [msg, assoc] self.failUnless(self.consumer._negotiateAssociation(self.endpoint) is None) self.failUnlessLogMatches('Server error when requesting an association')
def testUnsupportedWithRetry(self): msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') assoc = association.Association('handle', b'secret', 'issued', 10000, 'HMAC-SHA1') self.consumer.return_messages = [msg, assoc] with LogCapture() as logbook: self.assertIsNone(self.consumer._negotiateAssociation(self.endpoint)) logbook.check( ('openid.consumer.consumer', 'ERROR', StringComparison('Server error when requesting an association .*')))
def make_openid_response(self, sreg_args=None, teams_args=None): endpoint = OpenIDServiceEndpoint() endpoint.claimed_id = 'some-id' message = Message(OPENID2_NS) if sreg_args is not None: for key, value in sreg_args.items(): message.setArg(SREG_NS, key, value) if teams_args is not None: for key, value in teams_args.items(): message.setArg(TEAMS_NS, key, value) response = SuccessResponse(endpoint, message, signed_fields=message.toPostArgs().keys()) return response
def testNotAllowed(self): allowed_types = [] negotiator = association.SessionNegotiator(allowed_types) self.consumer.negotiator = negotiator msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'not-allowed') msg.setArg(OPENID_NS, 'session_type', 'not-allowed') self.consumer.return_messages = [msg] self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) self.failUnlessLogMatches('Server error when requesting an association')
def testNotAllowed(self): allowed_types = [] negotiator = association.SessionNegotiator(allowed_types) self.consumer.negotiator = negotiator msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'not-allowed') msg.setArg(OPENID_NS, 'session_type', 'not-allowed') self.consumer.return_messages = [msg] with LogCapture() as logbook: self.assertIsNone(self.consumer._negotiateAssociation(self.endpoint)) logbook.check( ('openid.consumer.consumer', 'ERROR', StringComparison('Server error when requesting an association .*')))
def testUnsupportedWithRetry(self): """ Test the case where an unsupported-type response triggers a retry to get an association with the new preferred type. """ msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') assoc = association.Association('handle', b'secret', 'issued', 10000, 'HMAC-SHA1') self.consumer.return_messages = [msg, assoc] with LogCapture() as logbook: self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), assoc) logbook.check(('openid.consumer.consumer', 'WARNING', StringComparison('Unsupported association type .*')))
def testEmptySessionType(self): """ Test the case where the session type (session_type) returned in an unsupported-type response is absent. """ msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'new-assoc-type') # not set: msg.setArg(OPENID_NS, 'session_type', None) self.consumer.return_messages = [msg] with LogCapture() as logbook: self.assertIsNone(self.consumer._negotiateAssociation(self.endpoint)) no_fallback_msg = 'Server responded with unsupported association session but did not supply a fallback.' logbook.check(('openid.consumer.consumer', 'WARNING', StringComparison('Unsupported association type .*')), ('openid.consumer.consumer', 'WARNING', no_fallback_msg))
def testEmptySessionType(self): """ Test the case where the session type (session_type) returned in an unsupported-type response is absent. """ msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'new-assoc-type') # not set: msg.setArg(OPENID_NS, 'session_type', None) self.consumer.return_messages = [msg] self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) self.failUnlessLogMatches('Unsupported association type', 'Server responded with unsupported association ' + 'session but did not supply a fallback.')
def testUnsupportedWithRetry(self): """ Test the case where an unsupported-type response triggers a retry to get an association with the new preferred type. """ msg = Message(self.endpoint.preferredNamespace()) msg.setArg(OPENID_NS, 'error', 'Unsupported type') msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') assoc = association.Association( 'handle', 'secret', 'issued', 10000, 'HMAC-SHA1') self.consumer.return_messages = [msg, assoc] self.failUnless(self.consumer._negotiateAssociation(self.endpoint) is assoc) self.failUnlessLogMatches('Unsupported association type')
def toMessage(self, message=None): """Add the arguments from this extension to the provided message, or create a new message containing only those arguments. @returns: The message with the extension arguments added """ if message is None: message = Message() try: message.namespaces.addAlias(self.ns_uri, self.ns_alias) except KeyError: if message.namespaces.getAlias(self.ns_uri) != self.ns_alias: raise message.updateArgs(self.ns_uri, self.getExtensionArgs()) return message
def test_extract_user_details_ax(self): endpoint = OpenIDServiceEndpoint() message = Message(OPENID2_NS) attributes = [ ("nickname", "http://axschema.org/namePerson/friendly", "someuser"), ("fullname", "http://axschema.org/namePerson", "Some User"), ("email", "http://axschema.org/contact/email", "*****@*****.**"), ] message.setArg(AX_NS, "mode", "fetch_response") for (alias, uri, value) in attributes: message.setArg(AX_NS, "type.%s" % alias, uri) message.setArg(AX_NS, "value.%s" % alias, value) response = SuccessResponse( endpoint, message, signed_fields=message.toPostArgs().keys()) data = self.backend._extract_user_details(response) self.assertEqual(data, {"nickname": "someuser", "first_name": "Some", "last_name": "User", "email": "*****@*****.**"})
def post(self): # We _must_ be authenticated. userpass = self.getBasicAuth() self.user = userpass[0] if userpass else None # just trust it if not self.user: self.sendAuthenticationChallenge() return # Um. How do we safely determine which endpoint the user has granted access to? # Do we need to sign the trust_root/identity tuple somehow? # For now we just pull it out of the request. This is not right. go = self.request.arguments['go'][0] root = self.request.arguments['root'][0] id = self.request.arguments['id'][0] return_to = self.request.arguments['return_to'][0] if 'return_to' in self.request.arguments else None assoc_handle = self.request.arguments['assoc_handle'][0] if 'assoc_handle' in self.request.arguments else None op_endpoint = self.request.arguments['op_endpoint'][0] if 'op_endpoint' in self.request.arguments else None request = server.CheckIDRequest(id, return_to, root, assoc_handle=assoc_handle, op_endpoint=op_endpoint) request.message = Message(OPENID2_NS) # XXX version? remember = self.request.arguments['remember'][0] == 'yes' if 'remember' in self.request.arguments else False if 'Yes, allow this site to know who I am' == go: if remember: # Persist remember on the user # self.server.approved[(identity, trust_root)] = 'always' pass response = self.approved(request, id) elif 'no' in query: response = request.answer(False) else: logging.error('strange allow post. %r' % (query,)) raise tornado.web.HTTPError("400", "Strange Allow Post") self.displayResponse(response)