class TestTrustedIssuers(unittest.TestCase):
def setUp(self):
self.supportdocmgr = SupportDocumentManager()
def _is_trusted_issuer(self, *args, **kwds):
return self.supportdocmgr.is_trusted_issuer(*args, **kwds)
def test_trusted_secondaries(self):
PERSONA_HOST = 'login.persona.org'
self.assertTrue(self._is_trusted_issuer('test.com', PERSONA_HOST))
self.assertFalse(self._is_trusted_issuer('test.com', PERSONA_HOST,
trusted_secondaries=[], max_delegations=0))
def test_hostname_issuer(self):
self.assertTrue(self._is_trusted_issuer('test.com', 'test.com'))
self.assertFalse(self._is_trusted_issuer('abc.com', 'test.com',
max_delegations=0))
@patch('browserid.supportdoc.fetch_support_document',
patched_support_document)
def test_delegated_primary(self):
self.assertTrue(self._is_trusted_issuer('redirect.org',
'delegated.org'))
def test_disabled_delegated_primary(self):
self.assertFalse(self._is_trusted_issuer('redirect.org',
'delegated.org', max_delegations=0))
@patch('browserid.supportdoc.fetch_support_document',
patched_support_document)
def test_infinite_delegated_primary_recursion(self):
self.assertFalse(self._is_trusted_issuer('infinite.org', None))
self.assertFalse(self._is_trusted_issuer('infinite.org',
'delegated.org'))
def __init__(self, trusted_issuers=None, allowed_issuers=None, **kwargs):
"""LocalVerifier constructor, with the following extra config options:
:param ssl_certificate: The path to an optional ssl certificate to
use when doing SSL requests with the BrowserID server.
Set to True (the default) to use default certificate authorities.
Set to False to disable SSL verification.
"""
if isinstance(trusted_issuers, basestring):
trusted_issuers = trusted_issuers.split()
self.trusted_issuers = trusted_issuers
if trusted_issuers is not None:
kwargs["trusted_secondaries"] = trusted_issuers
if isinstance(allowed_issuers, basestring):
allowed_issuers = allowed_issuers.split()
self.allowed_issuers = allowed_issuers
if "ssl_certificate" in kwargs:
verify = kwargs["ssl_certificate"]
kwargs.pop("ssl_certificate")
if not verify:
self._emit_warning()
else:
verify = None
kwargs["supportdocs"] = SupportDocumentManager(verify=verify)
# Disable warning about evolving data formats, it's out of date.
kwargs.setdefault("warning", False)
super(LocalBrowserIdVerifier, self).__init__(**kwargs)
def __init__(self, audiences=None, trusted_secondaries=None,
supportdocs=None, warning=True):
super(LocalVerifier, self).__init__(audiences)
self.trusted_secondaries = trusted_secondaries
self.supportdocs = supportdocs or SupportDocumentManager()
if warning:
_emit_warning()
def __init__(self,
audiences=None,
trusted_secondaries=None,
supportdocs=None,
warning=False):
super(LocalVerifier, self).__init__(audiences)
self.trusted_secondaries = trusted_secondaries
self.supportdocs = supportdocs or SupportDocumentManager()
if warning:
# We used to emit a warning about the assertion format
# being subject to change. That's no longer true, but
# we still accept the `warning` arg for compatibility.
pass
def test_cache_eviction_based_on_time(self):
supportdocs = SupportDocumentManager(FIFOCache(cache_timeout=0.1))
verifier = LocalVerifier(["*"], supportdocs=supportdocs)
# Prime the cache by verifying an assertion.
assertion = make_assertion("*****@*****.**", "")
self.assertTrue(verifier.verify(assertion))
# Make it error out if re-fetching the keys
exc = RuntimeError("key fetch disabled")
with patched_supportdoc_fetching(exc=exc):
# It should be in the cache, so this works fine.
self.assertTrue(verifier.verify(assertion))
# But after sleeping it gets evicted and the error is triggered.
time.sleep(0.1)
self.assertRaises(RuntimeError, verifier.verify, assertion)
def __init__(self, **kwargs):
"""LocalVerifier constructor, with the following extra config options:
:param ssl_certificate: The path to an optional ssl certificate to
use when doing SSL requests with the BrowserID server.
Set to True (the default) to use default certificate authorities.
Set to False to disable SSL verification.
"""
if "ssl_certificate" in kwargs:
verify = kwargs["ssl_certificate"]
kwargs.pop("ssl_certificate")
if not verify:
self._emit_warning()
else:
verify = None
kwargs['supportdocs'] = SupportDocumentManager(verify=verify)
super(LocalVerifier, self).__init__(**kwargs)
def test_cache_eviction_during_write(self):
supportdocs = SupportDocumentManager(cache_timeout=0.1)
verifier = LocalVerifier(["*"], supportdocs=supportdocs)
# Prime the cache by verifying an assertion.
assertion1 = make_assertion("*****@*****.**", "", "1.com")
self.assertTrue(verifier.verify(assertion1))
self.assertEquals(len(supportdocs.cache), 1)
# Let that cached key expire
time.sleep(0.1)
# Now grab a different key; caching it should purge the expired key.
assertion2 = make_assertion("*****@*****.**", "", "2.com")
self.assertTrue(verifier.verify(assertion2))
self.assertEquals(len(supportdocs.cache), 1)
# Check that only the second entry is in cache.
exc = RuntimeError("key fetch disabled")
with patched_supportdoc_fetching(exc=exc):
self.assertTrue(verifier.verify(assertion2))
self.assertRaises(RuntimeError, verifier.verify, assertion1)
def test_cache_eviction_based_on_size(self):
supportdocs = SupportDocumentManager(max_size=2)
verifier = LocalVerifier(["*"], supportdocs=supportdocs)
# Prime the cache by verifying some assertions.
assertion1 = make_assertion("*****@*****.**", "", "1.com")
self.assertTrue(verifier.verify(assertion1))
assertion2 = make_assertion("*****@*****.**", "", "2.com")
self.assertTrue(verifier.verify(assertion2))
self.assertEquals(len(supportdocs.cache), 2)
# Hitting a third host should evict the first public key.
assertion3 = make_assertion("*****@*****.**", "", "3.com")
self.assertTrue(verifier.verify(assertion3))
self.assertEquals(len(supportdocs.cache), 2)
# Make it error out if re-fetching any keys
exc = RuntimeError("key fetch disabled")
with patched_supportdoc_fetching(exc=exc):
# It should have to re-fetch for 1, but not 2.
self.assertTrue(verifier.verify(assertion2))
self.assertRaises(RuntimeError, verifier.verify, assertion1)
class TestTrustedIssuers(unittest.TestCase):
def setUp(self):
self.supportdocmgr = SupportDocumentManager()
def _is_trusted_issuer(self, *args, **kwds):
return self.supportdocmgr.is_trusted_issuer(*args, **kwds)
def test_trusted_secondaries(self):
PERSONA_HOST = 'login.persona.org'
self.assertTrue(self._is_trusted_issuer('test.com', PERSONA_HOST))
self.assertFalse(
self._is_trusted_issuer('test.com',
PERSONA_HOST,
trusted_secondaries=[],
max_delegations=0))
def test_hostname_issuer(self):
self.assertTrue(self._is_trusted_issuer('test.com', 'test.com'))
self.assertFalse(
self._is_trusted_issuer('abc.com', 'test.com', max_delegations=0))
@patch('browserid.supportdoc.fetch_support_document',
patched_support_document)
def test_delegated_primary(self):
self.assertTrue(
self._is_trusted_issuer('redirect.org', 'delegated.org'))
def test_disabled_delegated_primary(self):
self.assertFalse(
self._is_trusted_issuer('redirect.org',
'delegated.org',
max_delegations=0))
@patch('browserid.supportdoc.fetch_support_document',
patched_support_document)
def test_infinite_delegated_primary_recursion(self):
self.assertFalse(self._is_trusted_issuer('infinite.org', None))
self.assertFalse(
self._is_trusted_issuer('infinite.org', 'delegated.org'))
def setUp(self):
self.supportdocmgr = SupportDocumentManager()
def setUp(self):
self.supportdocmgr = SupportDocumentManager()
