def test_reject_protocol_violation(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1-PLUS",
b"p=tls-unique,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"challenge",
b"foo"),
("response", b"", "success", b"bar")
]))
with self.assertRaisesRegexp(aiosasl.SASLFailure,
"protocol violation") as ctx:
self._run(
smmock,
aiosasl.SCRAMPLUS(
self._provide_credentials,
TLSUnique(self._tls_connection)
)
)
self.assertEqual(
None,
ctx.exception.opaque_error
)
def test_malformed_reply(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1-PLUS",
b"p=tls-unique,,"+self.client_first_message_bare,
"challenge",
b"s=hut,t=hefu,c=kup,d=onny"),
("abort", None,
"failure", ("aborted", None))
]))
with self.assertRaises(aiosasl.SASLFailure) as ctx:
self._run(
smmock,
aiosasl.SCRAMPLUS(
self._provide_credentials,
TLSUnique(self._tls_connection)
)
)
self.assertIn(
"malformed",
str(ctx.exception).lower()
)
def test_promote_failure_to_authentication_failure(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1-PLUS",
b"p=tls-unique,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"failure",
("credentials-expired", None))
]))
with self.assertRaises(aiosasl.AuthenticationFailure) as ctx:
self._run(
smmock,
aiosasl.SCRAMPLUS(
self._provide_credentials,
TLSUnique(self._tls_connection)
)
)
self.assertEqual(
"credentials-expired",
ctx.exception.opaque_error
)
def test_invalid_signature(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1-PLUS",
b"p=tls-unique,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"success",
b"v="+base64.b64encode(b"fnord"))
]))
with self.assertRaises(aiosasl.SASLFailure) as ctx:
self._run(
smmock,
aiosasl.SCRAMPLUS(
self._provide_credentials,
TLSUnique(self._tls_connection)
)
)
self.assertIsNone(ctx.exception.opaque_error)
self.assertIn(
"signature",
str(ctx.exception).lower()
)
def test_other_malformed_reply(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1-PLUS",
b"p=tls-unique,,"+self.client_first_message_bare,
"challenge",
b"i=sometext,s=ABC,r=Zm9vAAAAAAAAAAAAAAAA3rfcNHYJY1ZVvWVs7j"),
("abort", None,
"failure", ("aborted", None))
]))
with self.assertRaises(aiosasl.SASLFailure) as ctx:
self._run(
smmock,
aiosasl.SCRAMPLUS(
self._provide_credentials,
TLSUnique(self._tls_connection)
)
)
self.assertIn(
"malformed",
str(ctx.exception).lower()
)
def test_rfc(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1-PLUS",
b"p=tls-unique,,"+self.client_first_message_bare,
"challenge",
self.server_first_message),
("response",
self.client_final_message_without_proof +
b",p="+base64.b64encode(self.client_proof),
"success",
b"v="+base64.b64encode(self.server_signature))
]))
self.assertTrue(self._run(
smmock,
aiosasl.SCRAMPLUS(
self._provide_credentials,
TLSUnique(self._tls_connection)
)
))
def test_incorrect_nonce(self):
smmock = aiosasl.SASLStateMachine(SASLInterfaceMock(
self,
[
("auth;SCRAM-SHA-1-PLUS",
b"p=tls-unique,,"+self.client_first_message_bare,
"challenge",
b"r=foobar,s="+base64.b64encode(self.salt)+b",i=4096"),
("abort", None,
"failure", ("aborted", None))
]))
with self.assertRaisesRegexp(aiosasl.SASLFailure, "nonce") as ctx:
self._run(
smmock,
aiosasl.SCRAMPLUS(
self._provide_credentials,
TLSUnique(self._tls_connection)
)
)
self.assertIsNone(ctx.exception.opaque_error)