def test_audience_verification(self): # create an assertion with the audience set to http://persona.org for # the tests. This assertion is only valid for this audience. assertion = make_assertion("*****@*****.**", "http://persona.org") # we don't set any audience explicitely here verifier = LocalVerifier() # specifying the audience on verifier.verify uses it. self.assertRaises(AudienceMismatchError, verifier.verify, assertion, audience="*.example.com") # if we change the audience to the expected one, the assertion is # considered valid self.assertTrue(verifier.verify(assertion, audience="persona.org")) # specifying the audience when creating the verifier AND when calling # verifier.verify. verifier = LocalVerifier(["*.example.com"]) self.assertRaises(AudienceMismatchError, verifier.verify, assertion, audience="*.example.com") # specifying a different audience at instanciation and at verification, # only the last one is used. self.assertTrue(verifier.verify(assertion, audience="persona.org")) # overwritting the audience with an invalid one (we are waiting for # persona.org but getting example.com) raises an error self.assertRaises(AudienceMismatchError, verifier.verify, audience="persona.org", assertion=make_assertion("*****@*****.**", "http://example.com")) # the assertion is valid for http://persona.org; the verifier is # configured to accept this audience so it should validate verifier = LocalVerifier(["persona.org"]) self.assertTrue(verifier.verify(assertion)) # but if we ask explicitely for a different audience (the assertion is # not accepted, even if the instance is configured so) self.assertRaises(AudienceMismatchError, verifier.verify, assertion, audience="example.com")
def test_cache_eviction_based_on_time(self): supportdocs = SupportDocumentManager(FIFOCache(cache_timeout=0.1)) verifier = LocalVerifier(["*"], supportdocs=supportdocs) # Prime the cache by verifying an assertion. assertion = make_assertion("*****@*****.**", "") self.assertTrue(verifier.verify(assertion)) # Make it error out if re-fetching the keys exc = RuntimeError("key fetch disabled") with patched_supportdoc_fetching(exc=exc): # It should be in the cache, so this works fine. self.assertTrue(verifier.verify(assertion)) # But after sleeping it gets evicted and the error is triggered. time.sleep(0.1) self.assertRaises(RuntimeError, verifier.verify, assertion)
def test_cache_eviction_based_on_time(self): certs = CertificatesManager(FIFOCache(cache_timeout=0.1)) verifier = LocalVerifier(["*"], certs=certs, warning=False) # Prime the cache by verifying an assertion. assertion = make_assertion("*****@*****.**", "") self.assertTrue(verifier.verify(assertion)) # Make it error out if re-fetching the keys with patched_key_fetching(exc=RuntimeError("key fetch disabled")): verifier.fetch_public_key = fetch_public_key # It should be in the cache, so this works fine. verifier.verify(assertion) # But after sleeping it gets evicted and the error is triggered. time.sleep(0.1) self.assertRaises(RuntimeError, verifier.verify, assertion)
def test_account_login_persona(self): from floof.views.account import account_login_persona as view def verify(request, next_url, flash_msg): response = view(request.context, request) flashes = request.session['_f_'] assert len(flashes) == 1 assert flash_msg in flashes[0] assert response['redirect-to'] == next_url audience = 'https://localhost' self.config.add_settings({'auth.persona.audience': audience}) request = self._make_request() request.method = 'POST' request.user = sim.sim_user(credentials=[('persona', OLD_ASSERTION_ADDR)]) # Test failures trials = ((None, 'unspecified error'), ('', 'unspecified error'), (self._randstr(), 'unspecified error'), (OLD_ASSERTION, 'signature was invalid')) for a, f in trials: request.POST = MultiDict({'assertion': a}) verify(request, next_url=request.route_url('account.login'), flash_msg=f) request.session.clear() # Test success email = self._randstr() + '@example.com' verifier = LocalVerifier([audience], warning=False) a = make_assertion(email, audience) request.POST = MultiDict({'assertion': a}) request.user = sim.sim_user(credentials=[('persona', email)]) request.environ['paste.testing'] = True request.environ['tests.auth.persona.verifier'] = verifier request.environ['tests.auth.persona.audience'] = audience with patched_supportdoc_fetching(): verify(request, next_url=request.route_url('root'), flash_msg='Re-authentication successful')
def test_cache_eviction_during_write(self): certs = CertificatesManager(cache_timeout=0.1) verifier = LocalVerifier(["*"], certs=certs, warning=False) # Prime the cache by verifying an assertion. assertion1 = make_assertion("*****@*****.**", "", "1.com") self.assertTrue(verifier.verify(assertion1)) self.assertEquals(len(certs.cache), 1) # Let that cached key expire time.sleep(0.1) # Now grab a different key; caching it should purge the expired key. assertion2 = make_assertion("*****@*****.**", "", "2.com") self.assertTrue(verifier.verify(assertion2)) self.assertEquals(len(certs.cache), 1) # Check that only the second entry is in cache. with patched_key_fetching(exc=RuntimeError("key fetch disabled")): self.assertTrue(verifier.verify(assertion2)) self.assertRaises(RuntimeError, verifier.verify, assertion1)
def verifyBackedAssertion(audience, assertion): if True: from browserid import LocalVerifier v = LocalVerifier(["*"], warning=False) print "local verification", v.verify(assertion) return else: url = "https://verifier.accounts.firefox.com/v2" headers = {"content-type": "application/json"} r = requests.post(url, headers=headers, data=json.dumps({ "audience": audience, "assertion": assertion })) if r.status_code != 200: raise WebError(r) return r.json()
def test_cache_eviction_during_write(self): supportdocs = SupportDocumentManager(cache_timeout=0.1) verifier = LocalVerifier(["*"], supportdocs=supportdocs) # Prime the cache by verifying an assertion. assertion1 = make_assertion("*****@*****.**", "", "1.com") self.assertTrue(verifier.verify(assertion1)) self.assertEquals(len(supportdocs.cache), 1) # Let that cached key expire time.sleep(0.1) # Now grab a different key; caching it should purge the expired key. assertion2 = make_assertion("*****@*****.**", "", "2.com") self.assertTrue(verifier.verify(assertion2)) self.assertEquals(len(supportdocs.cache), 1) # Check that only the second entry is in cache. exc = RuntimeError("key fetch disabled") with patched_supportdoc_fetching(exc=exc): self.assertTrue(verifier.verify(assertion2)) self.assertRaises(RuntimeError, verifier.verify, assertion1)
def test_cache_eviction_based_on_size(self): certs = CertificatesManager(max_size=2) verifier = LocalVerifier(["*"], certs=certs, warning=False) # Prime the cache by verifying some assertions. assertion1 = make_assertion("*****@*****.**", "", "1.com") self.assertTrue(verifier.verify(assertion1)) assertion2 = make_assertion("*****@*****.**", "", "2.com") self.assertTrue(verifier.verify(assertion2)) self.assertEquals(len(certs.cache), 2) # Hitting a third host should evict the first public key. assertion3 = make_assertion("*****@*****.**", "", "3.com") self.assertTrue(verifier.verify(assertion3)) self.assertEquals(len(certs.cache), 2) # Make it error out if re-fetching any keys with patched_key_fetching(exc=RuntimeError("key fetch disabled")): # It should have to re-fetch for 1, but not 2. self.assertTrue(verifier.verify(assertion2)) self.assertRaises(RuntimeError, verifier.verify, assertion1)
def test_cache_eviction_based_on_size(self): supportdocs = SupportDocumentManager(max_size=2) verifier = LocalVerifier(["*"], supportdocs=supportdocs) # Prime the cache by verifying some assertions. assertion1 = make_assertion("*****@*****.**", "", "1.com") self.assertTrue(verifier.verify(assertion1)) assertion2 = make_assertion("*****@*****.**", "", "2.com") self.assertTrue(verifier.verify(assertion2)) self.assertEquals(len(supportdocs.cache), 2) # Hitting a third host should evict the first public key. assertion3 = make_assertion("*****@*****.**", "", "3.com") self.assertTrue(verifier.verify(assertion3)) self.assertEquals(len(supportdocs.cache), 2) # Make it error out if re-fetching any keys exc = RuntimeError("key fetch disabled") with patched_supportdoc_fetching(exc=exc): # It should have to re-fetch for 1, but not 2. self.assertTrue(verifier.verify(assertion2)) self.assertRaises(RuntimeError, verifier.verify, assertion1)
def test_audience_pattern_checking(self): verifier = LocalVerifier(["*.moz.com", "www.test.com"], warning=False) # Domains like *.moz.com should be valid audiences. # They will work with both the implicit patterns and explicit audience. assertion = make_assertion("*****@*****.**", "www.moz.com") self.assertTrue(verifier.verify(assertion)) self.assertTrue(verifier.verify(assertion, "www.moz.com")) self.assertRaises(AudienceMismatchError, verifier.verify, assertion, "www.test.com") # The specific domain www.test.com should be a valid audience. # It will work with both the implicit patterns and explicit audience. assertion = make_assertion("*****@*****.**", "www.test.com") self.assertTrue(verifier.verify(assertion)) self.assertTrue(verifier.verify(assertion, "www.test.com")) self.assertRaises(AudienceMismatchError, verifier.verify, assertion, "www.moz.com") # Domains not matching any patterns should not be valid audiences. # They will fail unless given as an explicit argument. assertion = make_assertion("*****@*****.**", "www.evil.com") self.assertRaises(AudienceMismatchError, verifier.verify, assertion) self.assertTrue(verifier.verify(assertion, "www.evil.com"))
def test_email_validation(self): verifier = LocalVerifier(audiences="http://persona.org") # Null bytes in the email hostname. assertion = make_assertion("[email protected]\x00.com", "http://persona.org") self.assertRaises(ValueError, verifier.verify, assertion) # Newlines in the email hostanem. assertion = make_assertion("[email protected]\[email protected]", "http://persona.org") self.assertRaises(ValueError, verifier.verify, assertion) # Null bytes in the email username. assertion = make_assertion(u"test\[email protected]", "http://persona.org") self.assertRaises(ValueError, verifier.verify, assertion) # Null bytes with regex-busting newline. assertion = make_assertion(u"[email protected]\u0000\[email protected]", "http://persona.org") self.assertRaises(ValueError, verifier.verify, assertion)
def setUp(self): super(TestWorkerPoolVerifier, self).setUp() self.verifier = WorkerPoolVerifier( verifier=LocalVerifier(["*"], warning=False) )
def setUp(self): self.patched = patched_supportdoc_fetching() self.patched.__enter__() self.verifier = LocalVerifier(["*"], warning=False)
def setUp(self): with warnings.catch_warnings(record=True) as w: warnings.simplefilter("always") self.verifier = LocalVerifier(["*"]) # There should be a warning about using this verifier. self.assertEquals(w[0].category, FutureWarning)
def setUp(self): super(TestWorkerPoolVerifier, self).setUp() self.verifier = WorkerPoolVerifier(verifier=LocalVerifier(["*"]))
def setUp(self): with warnings.catch_warnings(record=True) as w: warnings.simplefilter("always") self.verifier = LocalVerifier(["*"]) # There should be no warning about using this verifier. self.assertEquals(len(w), 0)