def setUp(self): self.perm_add = Permission.objects.get(codename='add_acmechallenge') self.perm_change = Permission.objects.get( codename='change_acmechallenge') self.perm_delete = Permission.objects.get( codename='delete_acmechallenge') self.user_joe = User.objects.create_user(username='******') self.user_joe.is_staff = False self.user_joe.save() self.user_certbot = User.objects.create_user(username='******') self.user_certbot.is_staff = True self.user_certbot.save() self.user_certbot.user_permissions.add(self.perm_add) self.user_certbot.user_permissions.add(self.perm_change) self.user_certbot.user_permissions.add(self.perm_delete) _priv, _pub = generate_key_pair() self.priv_key_joe = _priv PublicKey.objects.create(key=_pub, comment='Test Key', user=self.user_joe) _priv, _pub = generate_key_pair() self.priv_key_certbot = _priv PublicKey.objects.create(key=_pub, comment='Test Key', user=self.user_certbot)
def test_generate_from_key_string(self): private1, public1 = generate_key_pair() private2, public2 = generate_key_pair() header = create_auth_header('foo', key=private1) self.assertTrue(header.startswith('JWT ')) token = header.split(' ', 1)[1] self.assertFalse(verify(token, public2)) self.assertTrue(verify(token, public1))
def test_perform_existing_key(self, mock_get_utility): self.config.django_public_ip_logging_ok = True self.config.django_username = '******' self.config.django_key_directory = self.temp_dir priv, pub = generate_key_pair() keypath = os.path.join(self.temp_dir, 'certbot_django_id_rsa_examplecom') with open(keypath, 'w') as keyfile: keyfile.write(priv) with requests_mock.mock() as m: m.post('http://example.com/.well-known/challenges/', json={}, status_code=201) actual = self.auth.perform(self.achalls) expected = [ achall.response(achall.account_key) for achall in self.achalls ] self.assertEqual(actual, expected) self.assertEqual(m.call_count, 1) for i, (args, kwargs) in enumerate( mock_get_utility().notification.call_args_list): self.assertEqual("" in args[0]) self.assertFalse(kwargs['wrap'])
def test_generate_new_key(self): private, public = auth.generate_key_pair() private = private.strip().split('\n') self.assertEqual(private[0], '-----BEGIN PRIVATE KEY-----') self.assertEqual(private[27], '-----END PRIVATE KEY-----') public = public.strip().split('\n') self.assertEqual(public[0], '-----BEGIN PUBLIC KEY-----') self.assertEqual(public[8], '-----END PUBLIC KEY-----')
def test_bad_keys(self): private1, public1 = generate_key_pair() private2, public2 = generate_key_pair() t = token.sign('guido', private1) token_data = token.verify(t, public1) self.assertTrue(token_data) t = token.sign('guido', private2) token_data = token.verify(t, public2) self.assertTrue(token_data) t = token.sign('guido', private1) token_data = token.verify(t, public2) self.assertFalse(token_data) t = token.sign('guido', private2) token_data = token.verify(t, public1) self.assertFalse(token_data)
def test_bad_nonce(self): private, public = generate_key_pair() t = token.sign('guido', private, generate_nonce=lambda username, iat: 1) token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 1) self.assertTrue(token_data) t = token.sign('guido', private, generate_nonce=lambda username, iat: 1) token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 2) self.assertFalse(token_data) t = token.sign('guido', private, generate_nonce=lambda username, iat: 2) token_data = token.verify(t, public, validate_nonce=lambda username, iat, nonce: nonce == 1) self.assertFalse(token_data)
def test_bad_iat(self): private, public = generate_key_pair() t = token.sign('guido', private, iat=time.time()) token_data = token.verify(t, public) self.assertTrue(token_data) # IAT tolerance exists to account for clock drift between disparate systems. tolerance = token.TIMESTAMP_TOLERANCE + 1 t = token.sign('guido', private, iat=time.time() - tolerance) token_data = token.verify(t, public) self.assertFalse(token_data) t = token.sign('guido', private, iat=time.time() + tolerance) token_data = token.verify(t, public) self.assertFalse(token_data)
def test_perform_bad_auth(self, mock_get_utility): self.config.django_public_ip_logging_ok = True self.config.django_username = '******' self.config.django_key_directory = self.temp_dir priv, pub = generate_key_pair() keypath = os.path.join(self.temp_dir, 'certbot_django_id_rsa_examplecom') with open(keypath, 'w') as keyfile: keyfile.write(priv) with requests_mock.mock() as m: m.post('http://example.com/.well-known/challenges/', json={}, status_code=403) self.assertRaises(errors.PluginError, self.auth.perform, self.achalls)
def test_cleanup(self): self.config.django_public_ip_logging_ok = True self.config.django_username = '******' self.config.django_key_directory = self.temp_dir priv, pub = generate_key_pair() keypath = os.path.join(self.temp_dir, 'certbot_django_id_rsa_examplecom') with open(keypath, 'w') as keyfile: keyfile.write(priv) with requests_mock.mock() as m: m.post('http://example.com/.well-known/challenges/', json={}, status_code=201) m.delete(re.compile( 'example\.com/\.well-known/challenges/[A-Za-z0-9]+/$'), json={}, status_code=204) self.auth.perform(self.achalls) self.auth.cleanup(self.achalls) self.assertEqual(m.call_count, 2)
def test_bad_nonce(self): private, public = generate_key_pair() t = token.sign('guido', private, generate_nonce=lambda username, iat: 1) token_data = token.verify( t, public, validate_nonce=lambda username, iat, nonce: nonce == 1) self.assertTrue(token_data) t = token.sign('guido', private, generate_nonce=lambda username, iat: 1) token_data = token.verify( t, public, validate_nonce=lambda username, iat, nonce: nonce == 2) self.assertFalse(token_data) t = token.sign('guido', private, generate_nonce=lambda username, iat: 2) token_data = token.verify( t, public, validate_nonce=lambda username, iat, nonce: nonce == 1) self.assertFalse(token_data)
def _get_private_key(self, domain): filename = 'certbot_django_id_rsa_{}'.format(domain).replace('.', '') private_key_file = os.path.join(self._get_key_dir(), filename) private_key = None try: with open(private_key_file, 'r') as keyfile: private_key = keyfile.read() except (IOError, OSError): if self.config.noninteractive_mode: raise errors.PluginError('Could not read file from %s' % self._get_key_dir()) if not private_key: private_key, public_key = generate_key_pair() try: logger.info('Trying to load private key: %s' % private_key_file) with open(private_key_file, 'w') as keyfile: keyfile.write(private_key) except (IOError, OSError): raise errors.PluginError('Could not write private key to %s' % self._get_key_dir()) msg = ( "Couldn't read private key from {private_key_file}, so a new key has been generated and saved. " "Please go your website ({url}) and add the following public key to the user '{username}'. " "Please also make sure that '{username}' is a staff user and has permission to add and " "delete AcmeChallenge objects." "\n\n" "{public_key}" ) msg = msg.format( private_key_file=private_key_file, url="http://{}/admin/asymmetric_jwt_auth/publickey/add/".format(domain), username=self._get_username(), public_key=public_key) display = zope.component.getUtility(interfaces.IDisplay) display.notification(msg, wrap=False, force_interactive=True) return private_key
def test_roundtrip(self): private, public = generate_key_pair() t = token.sign('guido', private) token_data = token.verify(t, public) self.assertTrue(token_data) self.assertEqual(token_data.get('username'), 'guido')
def test_get_claimed_username(self): private, public = generate_key_pair() t = token.sign('guido', private) self.assertEqual(token.get_claimed_username(t), 'guido')
def handle_noargs(self, **options): pem_private, pem_public = generate_key_pair() print(pem_private) print(pem_public)