def test_client_with_password_gamepassword(self):
"""
Case where a player saved the password to join the game in its UrT config. As a result, we find a 'password'
field in the clientuserinfo line.
This value must not overwrite the 'password' property of the Client object.
"""
# GIVEN a known client
c = FakeClient(console=self.console,
name="Zesco",
guid="58D4069246865BB5A85F20FB60ED6F65",
login="******",
password="******")
c.save()
c.connects('15')
self.assertEqual('password_in_database', c.password)
# WHEN
infoline = r"15 \ip\1.2.3.4:27960\name\Zesco\password\some_password_here\racered\2\raceblue\3\rate\8000\ut_timenudge\0\cg_rgb\128 128 128\cg_predictitems\0\cg_physics\1\snaps\20\model\sarge\headmodel\sarge\team_model\james\team_headmodel\*james\color1\4\color2\5\handicap\100\sex\male\cl_anonymous\0\gear\GMIORAA\teamtask\0\cl_guid\58D4069246865BB5A85F20FB60ED6F65\weapmodes\00000110120000020002"
self.assertTrue('15' in self.console.clients)
self.console.OnClientuserinfo(action=None, data=infoline)
# THEN
client = self.console.clients['15']
self.assertEqual('1.2.3.4', client.ip)
self.assertEqual('Zesco^7', client.exactName)
self.assertEqual('Zesco', client.name)
self.assertEqual('58D4069246865BB5A85F20FB60ED6F65', client.guid)
self.assertEqual('password_in_database', client.password)
def test_high_level_having_password(self):
# GIVEN
joe = FakeClient(self.console, name="Joe", guid="joeguid", groupBits=128, password=F00_MD5)
joe.save()
# WHEN
joe.clearMessageHistory()
joe.connects("0")
# THEN
self.assertEqual(['Login via console: /tell 0 !login yourpassword'], joe.message_history)
self.assertEqual(2, joe.groupBits)
def test_known_client_with_unverified_guid_but_same_ip_is_auth(self):
# GIVEN a known client Bob
bob = FakeClient(self.parser, name="bob", guid="80a50000000000000000000000fcbc7d", ip="111.22.3.4")
bob.save()
# WHEN
when(self.parser.output).write('players').thenReturn('''\
Players on server:
[#] [IP Address]:[Port] [Ping] [GUID] [Name]
--------------------------------------------------
2 111.22.3.4:2316 47 80a50000000000000000000000fcbc7d(?) bob
(1 players in total)
''')
rv = self.parser.sync()
# THEN
self.assertIn('2', rv)
client = rv["2"]
self.assertEqual(bob.guid, client.guid)
self.assertEqual(bob.ip, client.ip)
self.assertTrue(client.authed)
def test_known_client_with_unverified_guid_but_same_ip_is_auth(self):
# GIVEN a known client Bob
bob = FakeClient(self.parser, name="bob", guid="80a50000000000000000000000fcbc7d", ip="111.22.3.4")
bob.save()
# WHEN
when(self.parser.output).write('players').thenReturn('''\
Players on server:
[#] [IP Address]:[Port] [Ping] [GUID] [Name]
--------------------------------------------------
2 111.22.3.4:2316 47 80a50000000000000000000000fcbc7d(?) bob
(1 players in total)
''')
rv = self.parser.sync()
# THEN
self.assertIn('2', rv)
client = rv["2"]
self.assertEqual(bob.guid, client.guid)
self.assertEqual(bob.ip, client.ip)
self.assertTrue(client.authed)
def test_client_with_password_gamepassword(self):
"""
Case where a player saved the password to join the game in its UrT config. As a result, we find a 'password'
field in the clientuserinfo line.
This value must not overwrite the 'password' property of the Client object.
"""
# GIVEN a known client
c = FakeClient(console=self.console, name="Zesco", guid="58D4069246865BB5A85F20FB60ED6F65", login="******", password="******")
c.save()
c.connects('15')
self.assertEqual('password_in_database', c.password)
# WHEN
infoline = r"15 \ip\1.2.3.4:27960\name\Zesco\password\some_password_here\racered\2\raceblue\3\rate\8000\ut_timenudge\0\cg_rgb\128 128 128\cg_predictitems\0\cg_physics\1\snaps\20\model\sarge\headmodel\sarge\team_model\james\team_headmodel\*james\color1\4\color2\5\handicap\100\sex\male\cl_anonymous\0\gear\GMIORAA\teamtask\0\cl_guid\58D4069246865BB5A85F20FB60ED6F65\weapmodes\00000110120000020002"
self.assertTrue('15' in self.console.clients)
self.console.OnClientuserinfo(action=None, data=infoline)
# THEN
client = self.console.clients['15']
self.assertEqual('1.2.3.4', client.ip)
self.assertEqual('Zesco^7', client.exactName)
self.assertEqual('Zesco', client.name)
self.assertEqual('58D4069246865BB5A85F20FB60ED6F65', client.guid)
self.assertEqual('password_in_database', client.password)
class Test_cmd_login(LoginTestCase):
def setUp(self):
LoginTestCase.setUp(self)
self.init_plugin()
# create a client which needs to log in and has a password saved in database
self.jack = FakeClient(self.console, name="Jack", guid="jackguid", groupBits=128, password=F00_MD5)
self.jack.save()
def test_already_logged_in(self):
# GIVEN
joe = FakeClient(self.console, name="Joe", guid="joeguid", groupBits=128)
joe.setvar(self.p, 'loggedin', 1)
joe.connects("0")
# WHEN
joe.clearMessageHistory()
joe.says("!login")
# THEN
self.assertEqual(['You are already logged in'], joe.message_history)
def test_low_level(self):
# GIVEN
joe = FakeClient(self.console, name="Joe", guid="joeguid", groupBits=8)
joe.connects("0")
# WHEN
joe.clearMessageHistory()
joe.says("!login")
# THEN
self.assertEqual(['You do not need to log in'], joe.message_history)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_no_parameter(self):
# GIVEN
self.jack.connects("0")
self.assertEqual(2, self.jack.groupBits) # the login plugin set his level down to 2 while waiting for the password
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login")
# THEN
self.assertEqual(['Usage (via console): /tell 0 !login yourpassword'], self.jack.message_history)
self.assertEqual(2, self.jack.groupBits)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_wrong_password(self):
# GIVEN
self.jack.connects("0")
self.assertEqual(2, self.jack.groupBits) # the login plugin set his level down to 2 while waiting for the password
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login qsfddqsf")
# THEN
self.assertEqual(['***Access denied***'], self.jack.message_history)
self.assertEqual(2, self.jack.groupBits)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_correct_password(self):
# GIVEN
self.jack.connects("0")
self.assertEqual(2, self.jack.groupBits) # the login plugin set his level down to 2 while waiting for the password
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login f00")
# THEN
self.assertEqual(['You are successfully logged in'], self.jack.message_history)
self.assertEqual(128, self.jack.groupBits)
self.assertTrue(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_spoofed_password_with_compromised_client_object(self):
"""
in some B3 game parser implementation there is an issue which could let the 'password' property of client
objects be compromised.
"""
# GIVEN
batman_md5 = 'ec0e2603172c73a8b644bb9456c1ff6e'
self.jack.connects("0")
self.assertEqual(2, self.jack.groupBits) # the login plugin set his level down to 2 while waiting for the password
self.jack.password = batman_md5
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login batman")
# THEN
self.assertEqual(['***Access denied***'], self.jack.message_history)
self.assertEqual(2, self.jack.groupBits)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_correct_password_with_compromised_client_object(self):
"""
in some B3 game parser implementation there is an issue which could let the 'password' property of client
objects be compromised.
"""
# GIVEN
batman_md5 = 'ec0e2603172c73a8b644bb9456c1ff6e'
self.jack.connects("0")
self.assertEqual(2, self.jack.groupBits) # the login plugin set his level down to 2 while waiting for the password
self.jack.password = batman_md5
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login f00")
# THEN
self.assertEqual(['You are successfully logged in'], self.jack.message_history)
self.assertEqual(128, self.jack.groupBits)
self.assertTrue(self.jack.isvar(self.p, 'loggedin'))
class Test_cmd_login(LoginTestCase):
def setUp(self):
LoginTestCase.setUp(self)
self.init_plugin()
# create a client which needs to log in and has a password saved in database
self.jack = FakeClient(self.console,
name="Jack",
guid="jackguid",
groupBits=128,
password=F00_MD5)
self.jack.save()
def test_already_logged_in(self):
# GIVEN
joe = FakeClient(self.console,
name="Joe",
guid="joeguid",
groupBits=128)
joe.setvar(self.p, 'loggedin', 1)
joe.connects("0")
# WHEN
joe.clearMessageHistory()
joe.says("!login")
# THEN
self.assertEqual(['You are already logged in'], joe.message_history)
def test_low_level(self):
# GIVEN
joe = FakeClient(self.console, name="Joe", guid="joeguid", groupBits=8)
joe.connects("0")
# WHEN
joe.clearMessageHistory()
joe.says("!login")
# THEN
self.assertEqual(['You do not need to log in'], joe.message_history)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_no_parameter(self):
# GIVEN
self.jack.connects("0")
self.assertEqual(
2, self.jack.groupBits
) # the login plugin set his level down to 2 while waiting for the password
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login")
# THEN
self.assertEqual(['Usage (via console): /tell 0 !login yourpassword'],
self.jack.message_history)
self.assertEqual(2, self.jack.groupBits)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_wrong_password(self):
# GIVEN
self.jack.connects("0")
self.assertEqual(
2, self.jack.groupBits
) # the login plugin set his level down to 2 while waiting for the password
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login qsfddqsf")
# THEN
self.assertEqual(['***Access denied***'], self.jack.message_history)
self.assertEqual(2, self.jack.groupBits)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_correct_password(self):
# GIVEN
self.jack.connects("0")
self.assertEqual(
2, self.jack.groupBits
) # the login plugin set his level down to 2 while waiting for the password
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login f00")
# THEN
self.assertEqual(['You are successfully logged in'],
self.jack.message_history)
self.assertEqual(128, self.jack.groupBits)
self.assertTrue(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_spoofed_password_with_compromised_client_object(self):
"""
in some B3 game parser implementation there is an issue which could let the 'password' property of client
objects be compromised.
"""
# GIVEN
batman_md5 = 'ec0e2603172c73a8b644bb9456c1ff6e'
self.jack.connects("0")
self.assertEqual(
2, self.jack.groupBits
) # the login plugin set his level down to 2 while waiting for the password
self.jack.password = batman_md5
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login batman")
# THEN
self.assertEqual(['***Access denied***'], self.jack.message_history)
self.assertEqual(2, self.jack.groupBits)
self.assertFalse(self.jack.isvar(self.p, 'loggedin'))
def test_high_level_correct_password_with_compromised_client_object(self):
"""
in some B3 game parser implementation there is an issue which could let the 'password' property of client
objects be compromised.
"""
# GIVEN
batman_md5 = 'ec0e2603172c73a8b644bb9456c1ff6e'
self.jack.connects("0")
self.assertEqual(
2, self.jack.groupBits
) # the login plugin set his level down to 2 while waiting for the password
self.jack.password = batman_md5
# WHEN
self.jack.clearMessageHistory()
self.jack.says("!login f00")
# THEN
self.assertEqual(['You are successfully logged in'],
self.jack.message_history)
self.assertEqual(128, self.jack.groupBits)
self.assertTrue(self.jack.isvar(self.p, 'loggedin'))