def test_account_full_auth_handshake(client):
u = db.user_with_pk(flask.g.db, U1.pk)
req1 = SignedMessage.sign(account.AuthReq(u.pk), SK1)
rv1 = client.post(
'/account/challenge/gen',
json=req1.to_dict(),
)
assert rv1.status_code == 200
echal = Message.from_dict(rv1.json)
assert isinstance(echal, EncryptedMessage)
schal = EncryptedMessage.dec(echal, server.ENCKEY)
assert schal.is_valid()
chal, pk_used = schal.unwrap()
assert isinstance(chal, account.AuthChallenge)
assert pk_used == server.IDKEY.pubkey
req2 = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
rv2 = client.post(
'/account/challenge/verify',
json=req2.to_dict(),
)
assert rv2.status_code == 200
resp = Message.from_dict(rv2.json)
assert resp.err is None
assert isinstance(resp.cred, EncryptedMessage)
scred = EncryptedMessage.dec(resp.cred, server.ENCKEY)
assert scred.is_valid()
cred, pk_used = scred.unwrap()
assert isinstance(cred, account.AccountCred)
assert pk_used == server.IDKEY.pubkey
def test_authchallengeresp_wrong_user():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
# challenge is for a user other than the one who signed the message
echal = get_chal(u, cred_wrong_user=True)
sacr = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
resp = server.handle_authchallengeresp(db_conn, sacr)
assert resp.cred is None
assert resp.err == CredChalErr.WrongUser
def test_authchallengeresp_expired_cred():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
# echal is expired
echal = get_chal(u, cred_expired=True)
sacr = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
resp = server.handle_authchallengeresp(db_conn, sacr)
assert resp.cred is None
assert resp.err == CredChalErr.BadCred
def test_authchallengeresp_badscred_2():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
# echal is correct but contains a broken SignedMessage
echal = get_chal(u, scred_munge=True)
sacr = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
resp = server.handle_authchallengeresp(db_conn, sacr)
assert resp.cred is None
assert resp.err == CredChalErr.Malformed
def test_authchallengeresp_badcred_2():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
# echal is correct and contains good SignedMessage, but the SignedMessage
# is signed by the wrong key
echal = get_chal(u, cred_wrong_key=True)
sacr = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
resp = server.handle_authchallengeresp(db_conn, sacr)
assert resp.cred is None
assert resp.err == CredChalErr.BadCred
def test_authchallengeresp_badcred_1():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
# echal is correct and contains good SignedMessage, but the SignedMessage
# contains a Stub
echal = get_chal(u, cred_stub=True)
sacr = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
resp = server.handle_authchallengeresp(db_conn, sacr)
assert resp.cred is None
assert resp.err == CredChalErr.Malformed
def test_authchallengeresp_bad_chal():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
echal = get_chal(u)
# use an unknown sk to sign the AuthChallengeResp
sk_unknown = crypto.Seckey((98345).to_bytes(32, byteorder='big'))
smsg = SignedMessage.sign(account.AuthChallengeResp(echal), sk_unknown)
resp = server.handle_authchallengeresp(db_conn, smsg)
assert isinstance(resp, account.AuthResp)
assert resp.cred is None
assert resp.err == SignedMessageErr.UnknownUser
def test_authchallengeresp_happy():
db_conn = get_db()
u = db.user_with_pk(db_conn, U1.pk)
echal = get_chal(u)
sacr = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
resp = server.handle_authchallengeresp(db_conn, sacr)
assert resp.err is None
assert isinstance(resp.cred, EncryptedMessage)
scred = EncryptedMessage.dec(resp.cred, server.ENCKEY)
cred, pk_used = SignedMessage.unwrap(scred)
assert pk_used == server.IDKEY.pubkey
assert cred.expire > time.time()
def test_account_challenge_verify(client):
u = db.user_with_pk(flask.g.db, U1.pk)
echal = server.generate_auth_challenge(u)
req = SignedMessage.sign(account.AuthChallengeResp(echal), SK1)
rv = client.post(
'/account/challenge/verify',
json=req.to_dict(),
)
assert rv.status_code == 200
resp = Message.from_dict(rv.json)
assert isinstance(resp, account.AuthResp)
assert resp.err is None
assert isinstance(resp.cred, EncryptedMessage)
scred = EncryptedMessage.dec(resp.cred, server.ENCKEY)
assert scred.is_valid()
cred, pk_used = scred.unwrap()
assert pk_used == server.IDKEY.pubkey
assert cred.user == u
assert cred.expire > time.time()
def test_authchallengeresp_str():
echal = EncryptedMessage.enc(Stub(1), EK)
acr = account.AuthChallengeResp(echal)
s = 'AuthChallengeResp<%s>' % (echal, )
assert str(acr) == s
def test_authchallengeresp_dict_bad_enc_chal():
d = account.AuthChallengeResp(Stub(1)).to_dict()
assert account.AuthChallengeResp.from_dict(d) is None
def test_authchallengeresp_dict_no_enc_chal():
echal = EncryptedMessage.enc(Stub(1), EK)
d = account.AuthChallengeResp(echal).to_dict()
del d['enc_chal']
assert account.AuthChallengeResp.from_dict(d) is None
def test_authchallenegeresp_dict_identity():
echal = EncryptedMessage.enc(Stub(1), EK)
first = account.AuthChallengeResp(echal)
second = account.AuthChallengeResp.from_dict(first.to_dict())
assert first == second