def setUp(self):
self.perm_add = Permission.objects.get(codename='add_acmechallenge')
self.perm_change = Permission.objects.get(
codename='change_acmechallenge')
self.perm_delete = Permission.objects.get(
codename='delete_acmechallenge')
self.user_joe = User.objects.create_user(username='******')
self.user_joe.is_staff = False
self.user_joe.save()
self.user_certbot = User.objects.create_user(username='******')
self.user_certbot.is_staff = True
self.user_certbot.save()
self.user_certbot.user_permissions.add(self.perm_add)
self.user_certbot.user_permissions.add(self.perm_change)
self.user_certbot.user_permissions.add(self.perm_delete)
_priv, _pub = generate_key_pair()
self.priv_key_joe = _priv
PublicKey.objects.create(key=_pub,
comment='Test Key',
user=self.user_joe)
_priv, _pub = generate_key_pair()
self.priv_key_certbot = _priv
PublicKey.objects.create(key=_pub,
comment='Test Key',
user=self.user_certbot)
def test_generate_from_key_string(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
header = create_auth_header('foo', key=private1)
self.assertTrue(header.startswith('JWT '))
token = header.split(' ', 1)[1]
self.assertFalse(verify(token, public2))
self.assertTrue(verify(token, public1))
def test_generate_from_key_string(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
header = create_auth_header('foo', key=private1)
self.assertTrue(header.startswith('JWT '))
token = header.split(' ', 1)[1]
self.assertFalse(verify(token, public2))
self.assertTrue(verify(token, public1))
def test_perform_existing_key(self, mock_get_utility):
self.config.django_public_ip_logging_ok = True
self.config.django_username = '******'
self.config.django_key_directory = self.temp_dir
priv, pub = generate_key_pair()
keypath = os.path.join(self.temp_dir,
'certbot_django_id_rsa_examplecom')
with open(keypath, 'w') as keyfile:
keyfile.write(priv)
with requests_mock.mock() as m:
m.post('http://example.com/.well-known/challenges/',
json={},
status_code=201)
actual = self.auth.perform(self.achalls)
expected = [
achall.response(achall.account_key) for achall in self.achalls
]
self.assertEqual(actual, expected)
self.assertEqual(m.call_count, 1)
for i, (args, kwargs) in enumerate(
mock_get_utility().notification.call_args_list):
self.assertEqual("" in args[0])
self.assertFalse(kwargs['wrap'])
def test_generate_new_key(self):
private, public = auth.generate_key_pair()
private = private.strip().split('\n')
self.assertEqual(private[0], '-----BEGIN PRIVATE KEY-----')
self.assertEqual(private[27], '-----END PRIVATE KEY-----')
public = public.strip().split('\n')
self.assertEqual(public[0], '-----BEGIN PUBLIC KEY-----')
self.assertEqual(public[8], '-----END PUBLIC KEY-----')
def test_bad_keys(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
t = token.sign('guido', private1)
token_data = token.verify(t, public1)
self.assertTrue(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public2)
self.assertTrue(token_data)
t = token.sign('guido', private1)
token_data = token.verify(t, public2)
self.assertFalse(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public1)
self.assertFalse(token_data)
def test_bad_keys(self):
private1, public1 = generate_key_pair()
private2, public2 = generate_key_pair()
t = token.sign('guido', private1)
token_data = token.verify(t, public1)
self.assertTrue(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public2)
self.assertTrue(token_data)
t = token.sign('guido', private1)
token_data = token.verify(t, public2)
self.assertFalse(token_data)
t = token.sign('guido', private2)
token_data = token.verify(t, public1)
self.assertFalse(token_data)
def test_bad_nonce(self):
private, public = generate_key_pair()
t = token.sign('guido', private, generate_nonce=lambda username, iat: 1)
token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertTrue(token_data)
t = token.sign('guido', private, generate_nonce=lambda username, iat: 1)
token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 2)
self.assertFalse(token_data)
t = token.sign('guido', private, generate_nonce=lambda username, iat: 2)
token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertFalse(token_data)
def test_bad_iat(self):
private, public = generate_key_pair()
t = token.sign('guido', private, iat=time.time())
token_data = token.verify(t, public)
self.assertTrue(token_data)
# IAT tolerance exists to account for clock drift between disparate systems.
tolerance = token.TIMESTAMP_TOLERANCE + 1
t = token.sign('guido', private, iat=time.time() - tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
t = token.sign('guido', private, iat=time.time() + tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
def test_perform_bad_auth(self, mock_get_utility):
self.config.django_public_ip_logging_ok = True
self.config.django_username = '******'
self.config.django_key_directory = self.temp_dir
priv, pub = generate_key_pair()
keypath = os.path.join(self.temp_dir,
'certbot_django_id_rsa_examplecom')
with open(keypath, 'w') as keyfile:
keyfile.write(priv)
with requests_mock.mock() as m:
m.post('http://example.com/.well-known/challenges/',
json={},
status_code=403)
self.assertRaises(errors.PluginError, self.auth.perform,
self.achalls)
def test_bad_iat(self):
private, public = generate_key_pair()
t = token.sign('guido', private, iat=time.time())
token_data = token.verify(t, public)
self.assertTrue(token_data)
# IAT tolerance exists to account for clock drift between disparate systems.
tolerance = token.TIMESTAMP_TOLERANCE + 1
t = token.sign('guido', private, iat=time.time() - tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
t = token.sign('guido', private, iat=time.time() + tolerance)
token_data = token.verify(t, public)
self.assertFalse(token_data)
def test_cleanup(self):
self.config.django_public_ip_logging_ok = True
self.config.django_username = '******'
self.config.django_key_directory = self.temp_dir
priv, pub = generate_key_pair()
keypath = os.path.join(self.temp_dir,
'certbot_django_id_rsa_examplecom')
with open(keypath, 'w') as keyfile:
keyfile.write(priv)
with requests_mock.mock() as m:
m.post('http://example.com/.well-known/challenges/',
json={},
status_code=201)
m.delete(re.compile(
'example\.com/\.well-known/challenges/[A-Za-z0-9]+/$'),
json={},
status_code=204)
self.auth.perform(self.achalls)
self.auth.cleanup(self.achalls)
self.assertEqual(m.call_count, 2)
def test_bad_nonce(self):
private, public = generate_key_pair()
t = token.sign('guido',
private,
generate_nonce=lambda username, iat: 1)
token_data = token.verify(
t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertTrue(token_data)
t = token.sign('guido',
private,
generate_nonce=lambda username, iat: 1)
token_data = token.verify(
t, public, validate_nonce=lambda username, iat, nonce: nonce == 2)
self.assertFalse(token_data)
t = token.sign('guido',
private,
generate_nonce=lambda username, iat: 2)
token_data = token.verify(
t, public, validate_nonce=lambda username, iat, nonce: nonce == 1)
self.assertFalse(token_data)
def _get_private_key(self, domain):
filename = 'certbot_django_id_rsa_{}'.format(domain).replace('.', '')
private_key_file = os.path.join(self._get_key_dir(), filename)
private_key = None
try:
with open(private_key_file, 'r') as keyfile:
private_key = keyfile.read()
except (IOError, OSError):
if self.config.noninteractive_mode:
raise errors.PluginError('Could not read file from %s' % self._get_key_dir())
if not private_key:
private_key, public_key = generate_key_pair()
try:
logger.info('Trying to load private key: %s' % private_key_file)
with open(private_key_file, 'w') as keyfile:
keyfile.write(private_key)
except (IOError, OSError):
raise errors.PluginError('Could not write private key to %s' % self._get_key_dir())
msg = (
"Couldn't read private key from {private_key_file}, so a new key has been generated and saved. "
"Please go your website ({url}) and add the following public key to the user '{username}'. "
"Please also make sure that '{username}' is a staff user and has permission to add and "
"delete AcmeChallenge objects."
"\n\n"
"{public_key}"
)
msg = msg.format(
private_key_file=private_key_file,
url="http://{}/admin/asymmetric_jwt_auth/publickey/add/".format(domain),
username=self._get_username(),
public_key=public_key)
display = zope.component.getUtility(interfaces.IDisplay)
display.notification(msg, wrap=False, force_interactive=True)
return private_key
def test_roundtrip(self):
private, public = generate_key_pair()
t = token.sign('guido', private)
token_data = token.verify(t, public)
self.assertTrue(token_data)
self.assertEqual(token_data.get('username'), 'guido')
def test_get_claimed_username(self):
private, public = generate_key_pair()
t = token.sign('guido', private)
self.assertEqual(token.get_claimed_username(t), 'guido')
def test_get_claimed_username(self):
private, public = generate_key_pair()
t = token.sign('guido', private)
self.assertEqual(token.get_claimed_username(t), 'guido')
def test_roundtrip(self):
private, public = generate_key_pair()
t = token.sign('guido', private)
token_data = token.verify(t, public)
self.assertTrue(token_data)
self.assertEqual(token_data.get('username'), 'guido')
def handle_noargs(self, **options):
pem_private, pem_public = generate_key_pair()
print(pem_private)
print(pem_public)
