def test_ip_whitelisted_bot(self): model.bootstrap_ip_whitelist(model.bots_ip_whitelist(), ['192.168.1.100/32']) state, _ = self.call('ipv4:192.168.1.100', None) self.assertEqual( state, CapturedState( current_identity='bot:whitelisted-ip', is_superuser=False, peer_identity='bot:whitelisted-ip', peer_ip=ipaddr.ip_from_string('192.168.1.100'), delegation_token=None, )) state, _ = self.call('ipv4:127.0.0.1', None) self.assertEqual( state, CapturedState( current_identity='anonymous:anonymous', is_superuser=False, peer_identity='anonymous:anonymous', peer_ip=ipaddr.ip_from_string('127.0.0.1'), delegation_token=None, ))
def test_ip_from_string_v6_ok(self): self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string("0:0:0:0:0:0:0:0")) self.assertEqual(ipaddr.IP(128, 2 ** 128 - 1), ipaddr.ip_from_string("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")) self.assertEqual(ipaddr.IP(128, 1), ipaddr.ip_from_string("0:0:0:0:0:0:0:1")) self.assertEqual( ipaddr.IP(128, 0xFFFF0000000000000000000000000000L), ipaddr.ip_from_string("ffff:0:0:0:0:0:0:0") )
def test_ip_from_string_v4_ok(self): self.assertEqual(ipaddr.IP(32, 0), ipaddr.ip_from_string('0.0.0.0')) self.assertEqual(ipaddr.IP(32, 0xffffffff), ipaddr.ip_from_string('255.255.255.255')) self.assertEqual(ipaddr.IP(32, 0x7f000001), ipaddr.ip_from_string('127.0.0.1')) self.assertEqual(ipaddr.IP(32, 0x7f000001), ipaddr.ip_from_string('127.000.000.001'))
def test_ip_from_string_v4_ok(self): self.assertEqual( ipaddr.IP(32, 0), ipaddr.ip_from_string('0.0.0.0')) self.assertEqual( ipaddr.IP(32, 0xffffffff), ipaddr.ip_from_string('255.255.255.255')) self.assertEqual( ipaddr.IP(32, 0x7f000001), ipaddr.ip_from_string('127.0.0.1')) self.assertEqual( ipaddr.IP(32, 0x7f000001), ipaddr.ip_from_string('127.000.000.001'))
def test_ip_from_string_v6_ok(self): self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string('0:0:0:0:0:0:0:0')) self.assertEqual( ipaddr.IP(128, 2**128 - 1), ipaddr.ip_from_string('ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff')) self.assertEqual(ipaddr.IP(128, 1), ipaddr.ip_from_string('0:0:0:0:0:0:0:1')) self.assertEqual(ipaddr.IP(128, 0xffff0000000000000000000000000000L), ipaddr.ip_from_string('ffff:0:0:0:0:0:0:0'))
def test_ip_from_string_v6_ok(self): self.assertEqual( ipaddr.IP(128, 0), ipaddr.ip_from_string('0:0:0:0:0:0:0:0')) self.assertEqual( ipaddr.IP(128, 2**128 - 1), ipaddr.ip_from_string('ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff')) self.assertEqual( ipaddr.IP(128, 1), ipaddr.ip_from_string('0:0:0:0:0:0:0:1')) self.assertEqual( ipaddr.IP(128, 0xffff0000000000000000000000000000L), ipaddr.ip_from_string('ffff:0:0:0:0:0:0:0'))
def test_ip_from_string_v6_omitting_zeros_ok(self): self.assertEqual(ipaddr.IP(128, 1), ipaddr.ip_from_string("::1")) self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string("::0")) self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string("::")) self.assertEqual( ipaddr.ip_from_string("ffff:ffff:ffff:0:ffff:ffff:ffff:ffff"), ipaddr.ip_from_string("ffff:ffff:ffff::ffff:ffff:ffff:ffff"), ) self.assertEqual(ipaddr.ip_from_string("ffff:ffff:0:0:0:0:0:ffff"), ipaddr.ip_from_string("ffff:ffff::ffff")) self.assertEqual(ipaddr.ip_from_string("ffff:0:0:0:0:0:0:0"), ipaddr.ip_from_string("ffff::"))
def test_ip_from_string_v6_omitting_zeros_ok(self): self.assertEqual(ipaddr.IP(128, 1), ipaddr.ip_from_string('::1')) self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string('::0')) self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string('::')) self.assertEqual( ipaddr.ip_from_string('ffff:ffff:ffff:0:ffff:ffff:ffff:ffff'), ipaddr.ip_from_string('ffff:ffff:ffff::ffff:ffff:ffff:ffff')) self.assertEqual(ipaddr.ip_from_string('ffff:ffff:0:0:0:0:0:ffff'), ipaddr.ip_from_string('ffff:ffff::ffff')) self.assertEqual(ipaddr.ip_from_string('ffff:0:0:0:0:0:0:0'), ipaddr.ip_from_string('ffff::'))
def test_verify_ip_whitelisted_not_assigned(self): # Should not raise: whitelist is not required for [email protected]. ident = model.Identity(model.IDENTITY_USER, "*****@*****.**") result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( ident, ipaddr.ip_from_string("192.168.0.100"), {} ) self.assertEqual(ident, result)
def test_verify_ip_whitelisted_bot_with_x_header(self): # Should convert Anonymous to bot, 192.168.1.1 is in 'bots' whitelist. headers = {"X-Whitelisted-Bot-Id": "bot-id"} result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( model.Anonymous, ipaddr.ip_from_string("192.168.1.1"), headers ) self.assertEqual(model.Identity(model.IDENTITY_BOT, "bot-id"), result)
def test_verify_ip_whitelisted_ok(self): # Should not raise: IP is whitelisted. ident = model.Identity(model.IDENTITY_USER, "*****@*****.**") result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( ident, ipaddr.ip_from_string("127.0.0.1"), {} ) self.assertEqual(ident, result)
def test_delegation_token(self): # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # Valid delegation token. state, ctx = self.call( 'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok}) self.assertEqual(state, CapturedState( current_identity='user:[email protected]', is_superuser=False, peer_identity='user:[email protected]', peer_ip=ipaddr.ip_from_string('127.0.0.1'), delegation_token=subtoken, )) # Invalid delegation token. state, ctx = self.call( 'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok + 'blah'}) self.assertIsNone(state) self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED) self.assertEqual( ctx.details, 'Bad delegation token: Bad proto: Truncated message.')
def test_ip_from_string_v4_bad(self): with self.assertRaises(ValueError): ipaddr.ip_from_string('') with self.assertRaises(ValueError): ipaddr.ip_from_string('0.0.0') with self.assertRaises(ValueError): ipaddr.ip_from_string('127.0.0.a') with self.assertRaises(ValueError): ipaddr.ip_from_string('256.0.0.1')
def test_ip_from_string_v4_bad(self): with self.assertRaises(ValueError): ipaddr.ip_from_string("") with self.assertRaises(ValueError): ipaddr.ip_from_string("0.0.0") with self.assertRaises(ValueError): ipaddr.ip_from_string("127.0.0.a") with self.assertRaises(ValueError): ipaddr.ip_from_string("256.0.0.1")
def test_ip_from_string_v6_omitting_zeros_ok(self): self.assertEqual(ipaddr.IP(128, 1), ipaddr.ip_from_string('::1')) self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string('::0')) self.assertEqual(ipaddr.IP(128, 0), ipaddr.ip_from_string('::')) self.assertEqual( ipaddr.ip_from_string('ffff:ffff:ffff:0:ffff:ffff:ffff:ffff'), ipaddr.ip_from_string('ffff:ffff:ffff::ffff:ffff:ffff:ffff')) self.assertEqual( ipaddr.ip_from_string('ffff:ffff:0:0:0:0:0:ffff'), ipaddr.ip_from_string('ffff:ffff::ffff')) self.assertEqual( ipaddr.ip_from_string('ffff:0:0:0:0:0:0:0'), ipaddr.ip_from_string('ffff::'))
def test_verify_ip_whitelisted_not_bot_with_x_header(self): # X-Whitelisted-Bot-Id is forbidden for non-bots. ident = model.Identity(model.IDENTITY_USER, "*****@*****.**") headers = {"X-Whitelisted-Bot-Id": "bot-id"} with self.assertRaises(api.AuthorizationError): self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( ident, ipaddr.ip_from_string("127.0.0.1"), headers )
def test_verify_ip_whitelisted_bot_with_x_header(self): # Should convert Anonymous to bot, 192.168.1.1 is in 'bots' whitelist. headers = { 'X-Whitelisted-Bot-Id': 'bot-id', } result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( model.Anonymous, ipaddr.ip_from_string('192.168.1.1'), headers) self.assertEqual(model.Identity(model.IDENTITY_BOT, 'bot-id'), result)
def mock_caller(self, ident, ip, gce_instance=None, gce_project=None): self.mock(auth, 'get_peer_identity', lambda: auth.Identity.from_bytes(ident)) self.mock(auth, 'get_peer_ip', lambda: ipaddr.ip_from_string(ip)) self.mock( auth, 'get_auth_details', lambda: auth.new_auth_details(gce_instance=gce_instance, gce_project=gce_project))
def test_is_ip_whitelisted(self): ent = model.AuthIPWhitelist(subnets=['127.0.0.1', '192.168.0.0/24']) test = lambda ip: ent.is_ip_whitelisted(ipaddr.ip_from_string(ip)) self.assertTrue(test('127.0.0.1')) self.assertTrue(test('192.168.0.0')) self.assertTrue(test('192.168.0.9')) self.assertTrue(test('192.168.0.255')) self.assertFalse(test('192.168.1.0')) self.assertFalse(test('192.1.0.0'))
def test_anonymous_ipv6(self): state, _ = self.call('ipv6:[::1]', None) self.assertEqual(state, CapturedState( current_identity='anonymous:anonymous', is_superuser=False, peer_identity='anonymous:anonymous', peer_ip=ipaddr.ip_from_string('::1'), delegation_token=None, ))
def test_good_access_token(self): state, _ = self.call('ipv4:127.0.0.1', '*****@*****.**') self.assertEqual(state, CapturedState( current_identity='user:[email protected]', is_superuser=False, peer_identity='user:[email protected]', peer_ip=ipaddr.ip_from_string('127.0.0.1'), delegation_token=None, ))
def test_verify_ip_whitelisted_not_bot_with_x_header(self): # X-Whitelisted-Bot-Id is forbidden for non-bots. ident = model.Identity(model.IDENTITY_USER, '*****@*****.**') headers = { 'X-Whitelisted-Bot-Id': 'bot-id', } with self.assertRaises(api.AuthorizationError): self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( ident, ipaddr.ip_from_string('127.0.0.1'), headers)
def test_ip_whitelist_whitelisted(self): model.bootstrap_ip_whitelist('whitelist', ['192.168.1.100/32']) model.bootstrap_ip_whitelist_assignment( model.Identity(model.IDENTITY_USER, '*****@*****.**'), 'whitelist') state, _ = self.call('ipv4:192.168.1.100', '*****@*****.**') self.assertEqual(state, CapturedState( current_identity='user:[email protected]', is_superuser=False, peer_identity='user:[email protected]', peer_ip=ipaddr.ip_from_string('192.168.1.100'), delegation_token=None, ))
def test_ip_from_string_v6_bad(self): # '::' syntax is not supported. with self.assertRaises(ValueError): ipaddr.ip_from_string('::0') with self.assertRaises(ValueError): ipaddr.ip_from_string('0:0:0:0:0:0:0') with self.assertRaises(ValueError): ipaddr.ip_from_string('0:0:0:0:0:0:0:00gg')
def test_verify_ip_whitelisted_missing_whitelist(self): auth_db = api.AuthDB( ip_whitelist_assignments=model.AuthIPWhitelistAssignments( assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity(model.IDENTITY_USER, '*****@*****.**'), ip_whitelist='missing ip whitelist',) ], ), ) with self.assertRaises(api.AuthorizationError): auth_db.verify_ip_whitelisted( model.Identity(model.IDENTITY_USER, '*****@*****.**'), ipaddr.ip_from_string('127.0.0.1'))
def test_verify_ip_whitelisted_missing_whitelist(self): auth_db = api.AuthDB( ip_whitelist_assignments=model.AuthIPWhitelistAssignments( assignments=[ model.AuthIPWhitelistAssignments.Assignment( identity=model.Identity(model.IDENTITY_USER, '*****@*****.**'), ip_whitelist='missing ip whitelist', ) ], ), ) with self.assertRaises(api.AuthorizationError): auth_db.verify_ip_whitelisted( model.Identity(model.IDENTITY_USER, '*****@*****.**'), ipaddr.ip_from_string('127.0.0.1'), {})
def test_is_in_subnet(self): call = lambda ip, subnet: (ipaddr.is_in_subnet(ipaddr.ip_from_string(ip), ipaddr.subnet_from_string(subnet))) self.assertTrue(call("127.0.0.1", "127.0.0.1/32")) self.assertTrue(call("192.168.0.25", "192.168.0.0/24")) self.assertFalse(call("192.168.0.25", "192.168.1.0/24")) self.assertFalse(call("192.168.0.25", "192.168.0.0/31")) self.assertTrue(call("255.255.255.255", "0.0.0.0/0")) self.assertTrue(call("0:0:0:0:0:0:0:1", "0:0:0:0:0:0:0:1/128")) self.assertTrue(call("ffff:fffe:fffd:fffc:fffb:fffa:fff0:1234", "ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/112")) self.assertFalse(call("ffff:fffe:fffd:fffc:fffb:fffa:fff1:1234", "ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/112")) self.assertFalse(call("ffff:fffe:fffd:fffc:fffb:fffa:fff0:2", "ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/127")) self.assertFalse(call("0:0:0:0:0:0:0:0", "0.0.0.0/32"))
def test_is_in_subnet(self): call = lambda ip, subnet: (ipaddr.is_in_subnet( ipaddr.ip_from_string(ip), ipaddr.subnet_from_string(subnet))) self.assertTrue(call('127.0.0.1', '127.0.0.1/32')) self.assertTrue(call('192.168.0.25', '192.168.0.0/24')) self.assertFalse(call('192.168.0.25', '192.168.1.0/24')) self.assertFalse(call('192.168.0.25', '192.168.0.0/31')) self.assertTrue(call('255.255.255.255', '0.0.0.0/0')) self.assertTrue(call('0:0:0:0:0:0:0:1', '0:0:0:0:0:0:0:1/128')) self.assertTrue( call('ffff:fffe:fffd:fffc:fffb:fffa:fff0:1234', 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/112')) self.assertFalse( call('ffff:fffe:fffd:fffc:fffb:fffa:fff1:1234', 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/112')) self.assertFalse( call('ffff:fffe:fffd:fffc:fffb:fffa:fff0:2', 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/127')) self.assertFalse(call('0:0:0:0:0:0:0:0', '0.0.0.0/32'))
def test_is_in_subnet(self): call = lambda ip, subnet: ( ipaddr.is_in_subnet( ipaddr.ip_from_string(ip), ipaddr.subnet_from_string(subnet))) self.assertTrue(call('127.0.0.1', '127.0.0.1/32')) self.assertTrue(call('192.168.0.25', '192.168.0.0/24')) self.assertFalse(call('192.168.0.25', '192.168.1.0/24')) self.assertFalse(call('192.168.0.25', '192.168.0.0/31')) self.assertTrue(call('255.255.255.255', '0.0.0.0/0')) self.assertTrue(call('0:0:0:0:0:0:0:1', '0:0:0:0:0:0:0:1/128')) self.assertTrue(call( 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:1234', 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/112')) self.assertFalse(call( 'ffff:fffe:fffd:fffc:fffb:fffa:fff1:1234', 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/112')) self.assertFalse(call( 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:2', 'ffff:fffe:fffd:fffc:fffb:fffa:fff0:0/127')) self.assertFalse(call('0:0:0:0:0:0:0:0', '0.0.0.0/32'))
def test_ip_from_string_v4_ok(self): self.assertEqual(ipaddr.IP(32, 0), ipaddr.ip_from_string("0.0.0.0")) self.assertEqual(ipaddr.IP(32, 0xFFFFFFFF), ipaddr.ip_from_string("255.255.255.255")) self.assertEqual(ipaddr.IP(32, 0x7F000001), ipaddr.ip_from_string("127.0.0.1")) self.assertEqual(ipaddr.IP(32, 0x7F000001), ipaddr.ip_from_string("127.000.000.001"))
def test_ip_from_string_v6_omitting_zeros_bad(self): with self.assertRaises(ValueError): ipaddr.ip_from_string("::1::") with self.assertRaises(ValueError): ipaddr.ip_from_string("0:0:0:0:0:0:0::0")
def test_verify_ip_whitelisted_bot_ipv6_loopback(self): # Should convert Anonymous as bot, 192.168.1.1 is in 'bots' whitelist. result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( model.Anonymous, ipaddr.ip_from_string("::1"), {} ) self.assertEqual(model.Identity(model.IDENTITY_BOT, "0-0-0-0-0-0-0-1"), result)
def test_ip_from_string_v6_bad(self): with self.assertRaises(ValueError): ipaddr.ip_from_string("0:0:0:0:0:0:0") with self.assertRaises(ValueError): ipaddr.ip_from_string("0:0:0:0:0:0:0:00gg")
def test_verify_ip_whitelisted_not_assigned(self): # Should not raise: whitelist is not required for [email protected]. ident = model.Identity(model.IDENTITY_USER, '*****@*****.**') result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( ident, ipaddr.ip_from_string('192.168.0.100'), {}) self.assertEqual(ident, result)
def test_verify_ip_whitelisted_not_whitelisted(self): with self.assertRaises(api.AuthorizationError): self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( model.Identity(model.IDENTITY_USER, "*****@*****.**"), ipaddr.ip_from_string("192.168.0.100"), {} )
def test_get_peer_ip(self): """IP address is stored in auth context.""" self.call('1.2.3.4', '*****@*****.**') self.assertEqual(ipaddr.ip_from_string('1.2.3.4'), api.get_peer_ip())
def mock_caller(self, ident, ip): self.mock(auth, 'get_peer_identity', lambda: auth.Identity.from_bytes(ident)) self.mock(auth, 'get_peer_ip', lambda: ipaddr.ip_from_string(ip))
def test_verify_ip_whitelisted_bot_ipv6_loopback(self): # Should convert Anonymous as bot, 192.168.1.1 is in 'bots' whitelist. result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( model.Anonymous, ipaddr.ip_from_string('::1'), {}) self.assertEqual(model.Identity(model.IDENTITY_BOT, '0-0-0-0-0-0-0-1'), result)
def test_verify_ip_whitelisted_not_whitelisted(self): with self.assertRaises(api.AuthorizationError): self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( model.Identity(model.IDENTITY_USER, '*****@*****.**'), ipaddr.ip_from_string('192.168.0.100'), {})
def test_verify_ip_whitelisted_ok(self): # Should not raise: IP is whitelisted. ident = model.Identity(model.IDENTITY_USER, '*****@*****.**') result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( ident, ipaddr.ip_from_string('127.0.0.1'), {}) self.assertEqual(ident, result)
def test_ip_from_string_v6_bad(self): with self.assertRaises(ValueError): ipaddr.ip_from_string('0:0:0:0:0:0:0') with self.assertRaises(ValueError): ipaddr.ip_from_string('0:0:0:0:0:0:0:00gg')
def test_get_current_identity_ip(self): """IP address is stored in auth context.""" self.call('1.2.3.4', '*****@*****.**') self.assertEqual( ipaddr.ip_from_string('1.2.3.4'), api.get_current_identity_ip())
def test_ip_from_string_v6_omitting_zeros_bad(self): with self.assertRaises(ValueError): ipaddr.ip_from_string('::1::') with self.assertRaises(ValueError): ipaddr.ip_from_string('0:0:0:0:0:0:0::0')
def test_verify_ip_whitelisted_bot(self): # Should convert Anonymous to bot, 192.168.1.1 is in 'bots' whitelist. result = self.make_auth_db_with_ip_whitelist().verify_ip_whitelisted( model.Anonymous, ipaddr.ip_from_string('192.168.1.1'), {}) self.assertEqual( model.Identity(model.IDENTITY_BOT, 'whitelisted-ip'), result)