def test_account_full_auth_handshake(client):
u = db.user_with_pk(flask.g.db, U1.pk)
req1 = SignedMessage.sign(account.AuthReq(u.pk), SK1)
rv1 = client.post(
'/account/challenge/gen',
json=req1.to_dict(),
)
assert rv1.status_code == 200
echal = Message.from_dict(rv1.json)
assert isinstance(echal, EncryptedMessage)
schal = EncryptedMessage.dec(echal, server.ENCKEY)
assert schal.is_valid()
chal, pk_used = schal.unwrap()
assert isinstance(chal, account.AuthChallenge)
assert pk_used == server.IDKEY.pubkey
req2 = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
rv2 = client.post(
'/account/challenge/verify',
json=req2.to_dict(),
)
assert rv2.status_code == 200
resp = Message.from_dict(rv2.json)
assert resp.err is None
assert isinstance(resp.cred, EncryptedMessage)
scred = EncryptedMessage.dec(resp.cred, server.ENCKEY)
assert scred.is_valid()
cred, pk_used = scred.unwrap()
assert isinstance(cred, account.AccountCred)
assert pk_used == server.IDKEY.pubkey
def test_encryptedmessage_crypt_identity_3():
# EncryptedMessage can store a EncryptedMessage, thorela at the time of
# writing, there's no need for this. It's just for completeness
ek_sub = Enckey.gen()
m_in = EncryptedMessage.enc(Stub(29874), ek_sub)
m_out = EncryptedMessage.enc(m_in, EK).dec(EK)
assert m_in == m_out
def expire_from_ecred(
ecred: EncryptedMessage, ek: crypto.Enckey, pk: crypto.Pubkey) \
-> float:
scred = ecred.dec(ek)
assert isinstance(scred, SignedMessage)
cred, pk_used = scred.unwrap()
assert pk_used == pk
assert isinstance(cred, account.AccountCred)
return cred.expire
def test_authchallengeresp_happy():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
echal = get_chal(u)
sacr = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
resp = server.handle_authchallengeresp(db_conn, sacr)
assert resp.err is None
assert isinstance(resp.cred, EncryptedMessage)
scred = EncryptedMessage.dec(resp.cred, server.ENCKEY)
cred, pk_used = SignedMessage.unwrap(scred)
assert pk_used == server.IDKEY.pubkey
assert cred.expire > time.time()
def test_authreq_happy():
db_conn = get_db()
smsg = SignedMessage.sign(account.AuthReq(SK1.pubkey), SK1)
resp = server.handle_authreq(db_conn, smsg)
assert isinstance(resp, EncryptedMessage)
schal = EncryptedMessage.dec(resp, server.ENCKEY)
assert isinstance(schal, SignedMessage)
assert schal.is_valid()
chal, pk_used = schal.unwrap()
assert isinstance(chal, account.AuthChallenge)
assert pk_used == server.IDKEY.pubkey
assert chal.user == db.user_with_pk(db_conn, chal.user.pk)
assert chal.expire > time.time()
def test_account_challenge_gen(client):
u = db.user_with_pk(flask.g.db, U1.pk)
req = SignedMessage.sign(account.AuthReq(u.pk), SK1)
rv = client.post(
'/account/challenge/gen',
json=req.to_dict(),
)
assert rv.status_code == 200
eresp = Message.from_dict(rv.json)
assert isinstance(eresp, EncryptedMessage)
sresp = EncryptedMessage.dec(eresp, server.ENCKEY)
resp, pk_used = sresp.unwrap()
assert isinstance(resp, account.AuthChallenge)
assert pk_used == server.IDKEY.pubkey
assert resp.user == u
def test_location_update_happy():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
ecred = get_cred(u)
original_expire = expire_from_ecred(ecred, server.ENCKEY,
server.IDKEY.pubkey)
loc = location.Location(u, loca.Coords(42, 69), time.time())
lu = location.LocationUpdate(loc, ecred)
slu = SignedMessage.sign(lu, SK1)
resp = server.handle_location_update(db_conn, slu)
assert resp.ok
assert isinstance(resp.cred, EncryptedMessage)
scred = EncryptedMessage.dec(resp.cred, server.ENCKEY)
cred, pk_used = SignedMessage.unwrap(scred)
assert pk_used == server.IDKEY.pubkey
assert cred.expire > original_expire
assert resp.err is None
def test_account_challenge_verify(client):
u = db.user_with_pk(flask.g.db, U1.pk)
echal = server.generate_auth_challenge(u)
req = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
rv = client.post(
'/account/challenge/verify',
json=req.to_dict(),
)
assert rv.status_code == 200
resp = Message.from_dict(rv.json)
assert isinstance(resp, account.AuthResp)
assert resp.err is None
assert isinstance(resp.cred, EncryptedMessage)
scred = EncryptedMessage.dec(resp.cred, server.ENCKEY)
assert scred.is_valid()
cred, pk_used = scred.unwrap()
assert pk_used == server.IDKEY.pubkey
assert cred.user == u
assert cred.expire > time.time()
def get_credchal(
u: user.User,
cls: Type[Union[account.AccountCred, account.AuthChallenge]],
expire: float,
scred_stub: bool = False,
scred_munge: bool = False,
cred_stub: bool = False,
cred_wrong_key: bool = False,
cred_expired: bool = False,
cred_wrong_user: bool = False,
) -> EncryptedMessage:
if scred_stub:
ecred = EncryptedMessage.enc(Stub(34444), server.ENCKEY)
elif scred_munge:
cred = cls(u, expire)
scred = SignedMessage.sign(cred, server.IDKEY)
scred.msg_bytes = b'fooooo'
ecred = EncryptedMessage.enc(scred, server.ENCKEY)
elif cred_stub:
scred = SignedMessage.sign(Stub(2342), server.IDKEY)
ecred = EncryptedMessage.enc(scred, server.ENCKEY)
elif cred_wrong_key:
sk = crypto.Seckey((9879).to_bytes(32, byteorder='big'))
cred = cls(u, expire)
scred = SignedMessage.sign(cred, sk)
ecred = EncryptedMessage.enc(scred, server.ENCKEY)
elif cred_expired:
cred = cls(u, time.time() - 0.00001)
scred = SignedMessage.sign(cred, server.IDKEY)
ecred = EncryptedMessage.enc(scred, server.ENCKEY)
elif cred_wrong_user:
assert u != U2
fake_u = user.User(U2.nick, U2.pk, rowid=11)
cred = cls(fake_u, expire)
scred = SignedMessage.sign(cred, server.IDKEY)
ecred = EncryptedMessage.enc(scred, server.ENCKEY)
else:
cred = cls(u, expire)
scred = SignedMessage.sign(cred, server.IDKEY)
ecred = EncryptedMessage.enc(scred, server.ENCKEY)
return ecred
def test_encryptmessage_malformed():
em = EncryptedMessage.enc(Stub(420), EK)
em.ctext_nonce = b'nnnnnnnnnnnnnnnnnnnnnnnncccccccc'
with pytest.raises(nacl.exceptions.CryptoError):
em.dec(EK)
def fake_cred():
cred = AccountCred(U, time.time())
return EncryptedMessage.enc(cred, Enckey.gen())
def test_authresp_dict_both_cred_and_err():
ecred = EncryptedMessage.enc(
SignedMessage.sign(account.AccountCred.gen(U, 60), SK), EK)
err = account.AuthRespErr.Malformed
d = {'cred': ecred, 'err': err}
assert account.AuthResp.from_dict(d) is None
def test_authchallengeresp_str():
echal = EncryptedMessage.enc(Stub(1), EK)
acr = account.AuthChallengeResp(echal)
s = 'AuthChallengeResp<%s>' % (echal, )
assert str(acr) == s
def test_encryptedmessage_crypt_identity_1():
# EncryptedMessage can store a Message
m_in = Stub(29873987)
m_out = EncryptedMessage.enc(m_in, EK).dec(EK)
assert m_in == m_out
def get_cred(u: user.User) -> EncryptedMessage:
cred = account.AccountCred(u, time.time() + server.CRED_LIFETIME)
scred = SignedMessage.sign(cred, server.IDKEY)
ecred = EncryptedMessage.enc(scred, server.ENCKEY)
return ecred
def test_encryptmessage_dict_identity_2():
first = EncryptedMessage.enc(SignedMessage.sign(Stub(420), SK), EK)
second = EncryptedMessage.from_dict(first.to_dict())
assert first == second
def test_encryptmessage_dict_identity_3():
ek_sub = Enckey.gen()
first = EncryptedMessage.enc(EncryptedMessage.enc(Stub(420), ek_sub), EK)
second = EncryptedMessage.from_dict(first.to_dict())
assert first == second
from rela.lib.messages import account
from rela.lib.messages import Message, SignedMessage, EncryptedMessage, Stub
from rela.lib.user import User
from rela.lib.crypto import Pubkey, Seckey, Enckey
from base64 import b64encode, b64decode
import time
U = User('Foo', Pubkey((1).to_bytes(32, byteorder='big')), rowid=420)
SK = Seckey((28379873947).to_bytes(32, byteorder='big'))
EK = Enckey.gen()
ALL_ACCRESP_ARG_SETS = [
(EncryptedMessage.enc(
SignedMessage.sign(account.AccountCred.gen(U, 60), SK), EK), None),
(None, account.AuthRespErr.BadSig),
(None, account.AuthRespErr.BadSig),
(None, account.AuthRespErr.PubkeyExists),
(None, account.AuthRespErr.Malformed),
(None, account.AuthRespErr.WrongPubkey),
]
def test_accountreq_dict_identity():
first = account.AccountReq(U.nick, U.pk)
second = Message.from_dict(first.to_dict())
assert first == second
def test_accountreq_to_dict():
ar = account.AccountReq(U.nick, U.pk)
d = ar.to_dict()
assert d['nick'] == U.nick
def test_encryptedmessage_crypt_identity_2():
# EncryptedMessage can store a SignedMessage
m_in = SignedMessage.sign(Stub(29874987), SK)
m_out = EncryptedMessage.enc(m_in, EK).dec(EK)
assert m_in == m_out
def test_authchallenegeresp_dict_identity():
echal = EncryptedMessage.enc(Stub(1), EK)
first = account.AuthChallengeResp(echal)
second = account.AuthChallengeResp.from_dict(first.to_dict())
assert first == second
def really_fake_cred() -> EncryptedMessage:
return EncryptedMessage.enc(Stub(1), crypto.Enckey.gen())
def test_authchallengeresp_dict_no_enc_chal():
echal = EncryptedMessage.enc(Stub(1), EK)
d = account.AuthChallengeResp(echal).to_dict()
del d['enc_chal']
assert account.AuthChallengeResp.from_dict(d) is None