def test_consistent_output(self, info, key, salt):
"""For fixed key, salt, info, the output should be constant."""
info_bytes = info.encode("utf-8")
derived_a = derive_key(key, salt, info_bytes)
derived_b = derive_key(key, salt, info_bytes)
assert derived_a == derived_b
def test_different_salt_different_output(self, info, key, salt_a, salt_b):
"""If the salt is changed, the output should change."""
assume(salt_a != salt_b)
info_bytes = info.encode("utf-8")
derived_a = derive_key(key, salt_a, info_bytes)
derived_b = derive_key(key, salt_b, info_bytes)
assert derived_a != derived_b
def test_different_key_different_output(self, info, key_a, key_b, salt):
"""If the key is rotated, the output should change."""
assume(key_a != key_b)
info_bytes = info.encode("utf-8")
derived_a = derive_key(key_a, salt, info_bytes)
derived_b = derive_key(key_b, salt, info_bytes)
assert derived_a != derived_b
def test_different_info_different_output(self, info_a, info_b, key, salt):
# For fixed key material and salt, derive_key should give different output
# for differing info parameters.
assume(info_a != info_b)
info_a_bytes = info_a.encode("utf-8")
info_b_bytes = info_b.encode("utf-8")
derived_a = derive_key(key, salt, info_a_bytes)
derived_b = derive_key(key, salt, info_b_bytes)
assert derived_a != derived_b
def test_it_produces_correct_result(self, info, key, salt, expected):
info_bytes = unhexlify(info)
salt_bytes = unhexlify(salt)
key_bytes = unhexlify(key)
derived = derive_key(key_bytes, salt_bytes, info_bytes)
# The test vectors have key lengths above and below the fixed-sized
# output of `derive_key`. Only compare the corresponding prefixes.
compare_len = min(len(expected), 64 * 2)
assert hexlify(
derived)[:compare_len] == expected[:compare_len].encode()
def includeme(config): # pragma: no cover
config.include("h.security.request_methods")
settings = config.registry.settings
settings["h_auth_cookie_secret"] = derive_key(settings["secret_key"],
settings["secret_salt"],
b"h.auth.cookie_secret")
# Set the default authentication policy. This can be overridden by modules
# that include this one.
proxy_auth = config.registry.settings.get("h.proxy_auth")
if proxy_auth:
log.warning("Enabling proxy authentication mode: you MUST ensure that "
"the X-Forwarded-User request header can ONLY be set by "
"trusted downstream reverse proxies! Failure to heed this "
"warning will result in ALL DATA stored by this service "
"being available to ANYONE!")
config.set_security_policy(SecurityPolicy(proxy_auth=proxy_auth))
def test_it_encodes_str_key_material(self):
derived = derive_key("akey", b"somesalt", b"some-info")
assert len(derived) == 64
def test_output(self, info, key, salt):
info_bytes = info.encode("utf-8")
derived = derive_key(key, salt, info_bytes)
assert len(derived) == 64