def test_verify_expired_response(self):
"""Verify a response with its expiry set in the past."""
cert, key = gen_certificate()
# Create a AuthTokenResponse with the basic credentials.
atr = token_pb2.AuthTokenResponse()
set_basic_creds(atr.basic_creds)
atr.basic_creds.expires -= 90
atr.certificate = _TEST_CERT
atr.original_uri = 'https://localhost/'
atr.app_name = 'Test Application'
atr.granted = calendar.timegm(datetime.now().timetuple())
atr.random = 'A' * 42 # TODO(caoimhe): This should go away.
# Create the codec and encode.
atrc = token_cookie.AuthTokenResponseCodec(atr, privkey=key)
data = atrc.encode()
# Verify the signature.
vatr = token_pb2.AuthTokenResponse()
vatrc = token_cookie.AuthTokenResponseCodec(vatr,
pubkey=cert.get_pub_key())
self.assertRaises(token_cookie.TokenExpiredException, vatrc.decode,
data)
def login_handler(self, access_token):
"""Handle a login response from the login server.
This should be invoked when an HTTP post from the login server
occurs. This method will return any local cookies to set up and
redirects the user back to the URL requested with the login
operation.
Please note that when the /login handler is invoked, the peer
will not be the login server, but the user.
Args:
access_token: the content of the access_token HTTP parameter
sent by the login server. This will essentially be a signed,
base64 encoded token with user information.
Returns:
Tuple with the cookie value to set the authentication token,
and the URL to redirect the user to.
"""
atr = token_pb2.AuthTokenResponse()
atrc = token_cookie.AuthTokenResponseCodec(atr, cacert=self._ca)
atrc.decode(access_token)
expiry = datetime.now() + timedelta(1)
tc = token_pb2.TokenCookie()
tc.basic_creds.user_name = atr.basic_creds.user_name
tc.basic_creds.scope.extend(atr.basic_creds.scope)
tc.basic_creds.expires = calendar.timegm(expiry.utctimetuple())
tcc = token_cookie.TokenCookieCodec(tc, privkey=self._rsa_key)
cookiedata = tcc.encode()
return (cookiedata, atr.original_uri)
def test_verify_wrong_signature(self):
"""Verify a wrong signature."""
cert, key = gen_certificate()
# Set up a token cookie with test data.
atr = token_pb2.AuthTokenResponse()
set_basic_creds(atr.basic_creds)
atr.certificate = _TEST_CERT
atr.original_uri = 'https://localhost/'
atr.app_name = 'Test Application'
atr.granted = calendar.timegm(datetime.now().timetuple())
atr.random = 'A' * 42 # TODO(caoimhe): This should go away.
# Fill in a bogus signature.
h = SHA256.new('A' * 42)
signer = PKCS1_v1_5.new(key)
atr.signature = signer.sign(h)
# Finally, build our own base64.
data = base64.urlsafe_b64encode(atr.SerializeToString())
# Verify the signature.
vatr = token_pb2.AuthTokenResponse()
atrc = token_cookie.AuthTokenResponseCodec(vatr,
pubkey=cert.get_pub_key())
self.assertRaises(token_cookie.SignatureException, atrc.decode, data)
def test_sign_and_decrypt(self):
"""Encode and decode an authentication token response object."""
# We need a CA signed certificate, so we use the one
# from above.
cert = x509.parse_certificate(_TEST_CERT)
key = RSA.importKey(_TEST_KEY)
cacert = x509.parse_certificate(_TEST_CA)
# Sanity check for the above certificates.
self.assertTrue(cert.check_signature(cacert))
# Create an AuthTokenRequest with some correct-sounding data.
atr = token_pb2.AuthTokenResponse()
set_basic_creds(atr.basic_creds)
atr.certificate = _TEST_CERT
atr.original_uri = 'https://localhost/'
atr.app_name = 'Test Application'
atr.granted = calendar.timegm(datetime.now().timetuple())
atr.random = 'A' * 42 # TODO(caoimhe): This should go away.
# Create the codec and encode.
atrc = token_cookie.AuthTokenResponseCodec(atr, privkey=key)
data = atrc.encode()
# Verify the signature.
vatr = token_pb2.AuthTokenResponse()
vatrc = token_cookie.AuthTokenResponseCodec(vatr,
pubkey=cert.get_pub_key())
try:
vatrc.decode(data)
except token_cookie.SignatureException as e:
self.fail("Can't verify signature using original certificate")
self.assertEqual(atr, vatr)
# Decode again, using the contained certificate.
vatr.Clear()
vatrc = token_cookie.AuthTokenResponseCodec(vatr, cacert=cacert)
try:
vatrc.decode(data)
except token_cookie.SignatureException as e:
self.fail("Can't verify signature using inband certificate: " +
e.message)
self.assertEqual(atr, vatr)
def test_verify_unknown_signer(self):
"""Verify a wrong signature."""
cert, key = gen_certificate()
cacert = x509.parse_certificate(_TEST_CA)
# Set up a token cookie with test data.
atr = token_pb2.AuthTokenResponse()
set_basic_creds(atr.basic_creds)
atr.certificate = _TEST_CERT
atr.original_uri = 'https://localhost/'
atr.app_name = 'Test Application'
atr.granted = calendar.timegm(datetime.now().timetuple())
atr.random = 'A' * 42 # TODO(caoimhe): This should go away.
# Create the codec and encode.
atrc = token_cookie.AuthTokenResponseCodec(atr, privkey=key)
data = atrc.encode()
# Verify the signature.
vatr = token_pb2.AuthTokenResponse()
vatrc = token_cookie.AuthTokenResponseCodec(vatr, cacert=cacert)
self.assertRaises(token_cookie.SignatureException, vatrc.decode, data)
def test_login_handler(self):
"""Check whether an authentication token response is handled
and decoded correctly by the authenticator implementation."""
now = datetime.now()
expires = now + timedelta(0, 300)
pkey = importKey(_TEST_KEY)
# We need a CA signed certificate, so we use the one
# from above.
cert = x509.parse_certificate(_TEST_CERT)
cacert = x509.parse_certificate(_TEST_CA)
# Sanity check for the above certificates.
self.assertTrue(cert.check_signature(cacert))
auth = authenticator.Authenticator("Unit Test",
cert=_TEST_CERT,
key=_TEST_KEY,
ca_bundle=_TEST_CA)
atres = token_pb2.AuthTokenResponse()
atres.basic_creds.user_name = 'testosteronius'
atres.basic_creds.scope.extend(['one', 'two'])
atres.basic_creds.expires = calendar.timegm(expires.utctimetuple())
atres.app_name = 'Unit Test'
atres.original_uri = 'http://lolcathost:8080/foo/bar'
atres.certificate = _TEST_CERT
atres.granted = calendar.timegm(now.utctimetuple())
# FIXME(caoimhe): this should go away.
atres.random = 'A' * 64
atrc = token_cookie.AuthTokenResponseCodec(atres, privkey=pkey)
response = atrc.encode()
data = auth.login_handler(response)
self.assertEquals(2, len(data))
cookiedata = data[0]
nexturl = data[1]
self.assertEquals('http://lolcathost:8080/foo/bar', nexturl)