def test_passing_filelike_as_request_object(self):
req = BytesIO(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
req = BytesIO(TEST_REQ)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
req = BytesIO(TEST_REQ_SIGNED)
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_filelike_as_request_object(self):
req = BytesIO(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
req = BytesIO(TEST_REQ)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
req = BytesIO(TEST_REQ_SIGNED)
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_requests_request_as_request_object(self):
req = requests.Request(
url="http://example.com:8000/resource/1",
method="GET",
params=[("b", "1"), ("a", "2")],
)
req = req.prepare()
assert not check_signature(req, TEST_KEY, nonces=False)
sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in req.headers['Authorization']
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_requests_request_as_request_object(self):
req = requests.Request(
url="http://example.com:8000/resource/1",
method="GET",
params=[("b", "1"), ("a", "2")],
)
req = req.prepare()
assert not check_signature(req, TEST_KEY, nonces=False)
sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in req.headers['Authorization']
assert check_signature(req, TEST_KEY, nonces=False)
def test_check_signature_fails_with_reused_nonce(self):
# First request with that nonce should succeed.
req = Request.blank("/")
req.authorization = ("Hawk", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertTrue(check_signature(req, "mykey"))
# Second request with that nonce should fail.
req = Request.blank("/")
req.authorization = ("Hawk", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
# But it will succeed if using a different nonce cache.
self.assertTrue(check_signature(req, "mykey", nonces=NonceCache()))
def test_passing_environ_dict_as_request_object(self):
req = {
"wsgi.url_scheme": "http",
"REQUEST_METHOD": "GET",
"HTTP_HOST": "example.com:8000",
"HTTP_CONTENT_LENGTH": "11",
"PATH_INFO": "/resource/1",
"QUERY_STRING": "b=1&a=2",
}
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_environ_dict_as_request_object(self):
req = {
"wsgi.url_scheme": "http",
"REQUEST_METHOD": "GET",
"HTTP_HOST": "example.com:8000",
"HTTP_CONTENT_LENGTH": "11",
"PATH_INFO": "/resource/1",
"QUERY_STRING": "b=1&a=2",
}
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def test_check_signature_fails_with_reused_nonce(self):
# First request with that nonce should succeed.
req = Request.blank("/")
req.authorization = ("Hawk", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertTrue(check_signature(req, "mykey"))
# Second request with that nonce should fail.
req = Request.blank("/")
req.authorization = ("Hawk", {"nonce": "PEPPER"})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
# But it will succeed if using a different nonce cache.
self.assertTrue(check_signature(req, "mykey", nonces=NonceCache()))
def _check_signature(self, request, key):
"""Check the Hawk auth signaure on the request.
This method checks the Hawk signature on the request against the
supplied signing key. If missing or invalid then HTTPUnauthorized
is raised.
"""
# See if we've already checked the signature on this request.
# This is important because pyramid doesn't cache the results
# of authenticating the request, but we mark the nonce as stale
# after the first check.
if request.environ.get("hawkauth.signature_is_valid", False):
return True
# Grab the (hopefully cached) params from the request.
params = self._get_params(request)
if params is None:
msg = "missing Hawk signature"
raise self.challenge(request, msg)
# Validate the signature with the given key.
sig_valid = hawkauthlib.check_signature(request, key, params=params,
nonces=self.nonce_cache)
if not sig_valid:
msg = "invalid Hawk signature"
raise self.challenge(request, msg)
# Mark this request as having a valid signature.
request.environ["hawkauth.signature_is_valid"] = True
return True
def test_check_signature_fails_with_busted_signature(self):
req = Request.blank("/")
sign_request(req, "myid", "mykey")
signature = parse_authz_header(req)["mac"]
authz = req.environ["HTTP_AUTHORIZATION"]
authz = authz.replace(signature, "XXX" + signature)
req.environ["HTTP_AUTHORIZATION"] = authz
self.assertFalse(check_signature(req, "mykey"))
def test_check_signature_fails_with_busted_signature(self):
req = Request.blank("/")
sign_request(req, "myid", "mykey")
signature = parse_authz_header(req)["mac"]
authz = req.environ["HTTP_AUTHORIZATION"]
authz = authz.replace(signature, "XXX" + signature)
req.environ["HTTP_AUTHORIZATION"] = authz
self.assertFalse(check_signature(req, "mykey"))
def test_purging_of_old_user_records(self):
# Make some old user records.
service = "sync-1.1"
email = "*****@*****.**"
user = self.backend.allocate_user(service,
email,
client_state="aa",
generation=123)
self.backend.update_user(service,
user,
client_state="bb",
generation=456,
keys_changed_at=450)
self.backend.update_user(service,
user,
client_state="cc",
generation=789)
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "cc")
self.assertEquals(len(user["old_client_states"]), 2)
# The default grace-period should prevent any cleanup.
self.assertTrue(purge_old_records(self.ini_file))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
self.assertEqual(len(self.service_requests), 0)
# With no grace period, we should cleanup two old records.
self.assertTrue(purge_old_records(self.ini_file, grace_period=0))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 1)
self.assertEqual(len(self.service_requests), 2)
# Check that the proper delete requests were made to the service.
secrets = self.config.registry.settings["tokenserver.secrets"]
node_secret = secrets.get(self.service_node)[-1]
expected_kids = ["0000000000450-uw", "0000000000123-qg"]
for i, environ in enumerate(self.service_requests):
# They must be to the correct path.
self.assertEquals(environ["REQUEST_METHOD"], "DELETE")
self.assertTrue(re.match("/1.1/[0-9]+", environ["PATH_INFO"]))
# They must have a correct request signature.
token = hawkauthlib.get_id(environ)
secret = tokenlib.get_derived_secret(token, secret=node_secret)
self.assertTrue(hawkauthlib.check_signature(environ, secret))
userdata = tokenlib.parse_token(token, secret=node_secret)
self.assertTrue("uid" in userdata)
self.assertTrue("node" in userdata)
self.assertEqual(userdata["fxa_uid"], "test")
self.assertEqual(userdata["fxa_kid"], expected_kids[i])
# Check that the user's current state is unaffected
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "cc")
self.assertEquals(len(user["old_client_states"]), 0)
def test_purging_of_old_user_records(self):
# Make some old user records.
service = "test-1.0"
email = "*****@*****.**"
user = self.backend.allocate_user(service, email, client_state="a")
self.backend.update_user(service, user, client_state="b")
self.backend.update_user(service, user, client_state="c")
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 2)
# The default grace-period should prevent any cleanup.
self.assertTrue(purge_old_records(self.ini_file))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
self.assertEqual(len(self.service_requests), 0)
# With no grace period, we should cleanup two old records.
self.assertTrue(purge_old_records(self.ini_file, grace_period=0))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 1)
self.assertEqual(len(self.service_requests), 2)
# Check that the proper delete requests were made to the service.
secrets = self.config.registry.settings["tokenserver.secrets"]
node_secret = secrets.get(self.service_node)[-1]
expected_kids = ["b", "a"]
for i, environ in enumerate(self.service_requests):
# They must be to the correct path.
self.assertEquals(environ["REQUEST_METHOD"], "DELETE")
self.assertTrue(re.match("/1.0/[0-9]+", environ["PATH_INFO"]))
# They must have a correct request signature.
token = hawkauthlib.get_id(environ)
secret = tokenlib.get_derived_secret(token, secret=node_secret)
self.assertTrue(hawkauthlib.check_signature(environ, secret))
userdata = tokenlib.parse_token(token, secret=node_secret)
self.assertTrue("uid" in userdata)
self.assertTrue("node" in userdata)
self.assertEqual(userdata["fxa_uid"], "test")
self.assertEqual(userdata["fxa_kid"], expected_kids[i])
# Check that the user's current state is unaffected
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 0)
def _validate_auth(self, uaid):
"""Validates the Authorization header in a request
Validate the given request using HAWK.
"""
test, _ = validate_uaid(uaid)
if not test:
return False
for key in self.ap_settings.crypto_key:
secret = generate_hash(key, uaid)
fReq = prequests.Request(
self.request.method,
"%s://%s%s" %
(self.request.protocol, self.request.host, self.request.uri),
headers=self.request.headers,
data=self.request.body).prepare()
if hawkauthlib.check_signature(fReq, secret):
return True
return False
def _validate_auth(self, uaid):
"""Validates the Authorization header in a request
Validate the given request using HAWK.
"""
test, _ = validate_uaid(uaid)
if not test:
return False
for key in self.ap_settings.crypto_key:
secret = generate_hash(key, uaid)
fReq = prequests.Request(
self.request.method,
"%s://%s%s" % (self.request.protocol, self.request.host,
self.request.uri),
headers=self.request.headers,
data=self.request.body).prepare()
if hawkauthlib.check_signature(fReq, secret):
return True
return False
def test_purging_of_old_user_records(self):
# Make some old user records.
service = "test-1.0"
email = "*****@*****.**"
user = self.backend.allocate_user(service, email, client_state="a")
self.backend.update_user(service, user, client_state="b")
self.backend.update_user(service, user, client_state="c")
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 2)
# The default grace-period should prevent any cleanup.
self.assertTrue(purge_old_records(self.ini_file))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 3)
self.assertEqual(len(self.service_requests), 0)
# With no grace period, we should cleanup two old records.
self.assertTrue(purge_old_records(self.ini_file, grace_period=0))
user_records = list(self.backend.get_user_records(service, email))
self.assertEqual(len(user_records), 1)
self.assertEqual(len(self.service_requests), 2)
# Check that the proper delete requests were made to the service.
secrets = self.config.registry.settings["tokenserver.secrets"]
node_secret = secrets.get(self.service_node)[-1]
for environ in self.service_requests:
# They must be to the correct path.
self.assertEquals(environ["REQUEST_METHOD"], "DELETE")
self.assertTrue(re.match("/1.0/[0-9]+", environ["PATH_INFO"]))
# They must have a correct request signature.
token = hawkauthlib.get_id(environ)
secret = tokenlib.get_derived_secret(token, secret=node_secret)
self.assertTrue(hawkauthlib.check_signature(environ, secret))
# Check that the user's current state is unaffected
user = self.backend.get_user(service, email)
self.assertEquals(user["client_state"], "c")
self.assertEquals(len(user["old_client_states"]), 0)
def test_passing_bytestring_as_request_object(self):
assert not check_signature(TEST_REQ, TEST_KEY, nonces=False)
authz = sign_request(TEST_REQ, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(TEST_REQ_SIGNED, TEST_KEY, nonces=False)
def _check_signature(self, request, secret, params=None):
"""Check the request signature, using our local nonce cache."""
return hawkauthlib.check_signature(request, secret, params=params,
nonces=self.nonce_cache)
def test_passing_bytestring_as_request_object(self):
assert not check_signature(TEST_REQ, TEST_KEY, nonces=False)
authz = sign_request(TEST_REQ, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(TEST_REQ_SIGNED, TEST_KEY, nonces=False)
def test_passing_webob_request_as_request_object(self):
req = webob.Request.from_bytes(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def __call__(self, req):
sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert check_signature(req, TEST_KEY, nonces=False)
assert TEST_SIG in req.headers['Authorization']
raise RuntimeError("aborting the request")
def test_passing_webob_request_as_request_object(self):
req = webob.Request.from_bytes(TEST_REQ)
assert not check_signature(req, TEST_KEY, nonces=False)
authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert TEST_SIG in authz
assert check_signature(req, TEST_KEY, nonces=False)
def test_check_signature_fails_with_non_mac_scheme(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
sign_request(req, "myid", "mykey")
req.authorization = ("OAuth", req.authorization[1])
self.assertFalse(check_signature(req, "mykey"))
def _check_signature(self, request, secret, params=None):
"""Check the request signature, using our local nonce cache."""
return hawkauthlib.check_signature(request,
secret,
params=params,
nonces=self.nonce_cache)
def test_check_signature_errors_when_missing_id(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("Hawk", {"ts": "1", "nonce": "2"})
self.assertFalse(check_signature(req, "secretkeyohsecretkey"))
def test_check_signature_errors_when_missing_id(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
req.authorization = ("Hawk", {"ts": "1", "nonce": "2"})
self.assertFalse(check_signature(req, "secretkeyohsecretkey"))
def test_check_signature_fails_with_far_future_timestamp(self):
req = Request.blank("/")
ts = str(int(time.time() + 1000))
req.authorization = ("Hawk", {"ts": ts})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
def test_check_signature_fails_with_non_mac_scheme(self):
req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
req = Request.from_bytes(req)
sign_request(req, "myid", "mykey")
req.authorization = ("OAuth", req.authorization[1])
self.assertFalse(check_signature(req, "mykey"))
def test_check_signature_fails_with_far_future_timestamp(self):
req = Request.blank("/")
ts = str(int(time.time() + 1000))
req.authorization = ("Hawk", {"ts": ts})
sign_request(req, "myid", "mykey")
self.assertFalse(check_signature(req, "mykey"))
def __call__(self, req):
sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS)
assert check_signature(req, TEST_KEY, nonces=False)
assert TEST_SIG in req.headers['Authorization']
raise RuntimeError("aborting the request")
