class FxATestAccount: """A base test class that can be extended by other tests to include utility methods.""" password = ''.join([random.choice(string.ascii_letters) for i in range(8)]) def __init__(self, url=DEV_URL): """ Creates an FxATestAccount object, which includes a verified account. :param url: The url for the api host. Defaults to DEV_URL. """ self.url = url random_string = ''.join( random.choice(string.ascii_lowercase) for _ in range(12)) email_pattern = random_string + '@{hostname}' self.account = TestEmailAccount(email=email_pattern) self.client = Client(self.url) # Create and verify the Firefox account self.session = self.client.create_account(self.account.email, self.password) print('fxapom created an account for email: %s at %s on %s' % (self.account.email, self.url, datetime.now())) m = self.account.wait_for_email( lambda m: "x-verify-code" in m["headers"]) if not m: raise RuntimeError("Verification email was not received") self.session.verify_email_code(m["headers"]["x-verify-code"]) def __del__(self): """ Deletes the Firefox Account that was created during __init__. """ try: self.account.clear() self.client.destroy_account(self.email, self.password) print('fxapom deleted the account for email: %s at %s on %s' % (self.account.email, self.url, datetime.now())) except ClientError as err: # 'Unknown Account' error is ok - account already deleted # https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#response-format if err.errno == 102: return raise def login(self): try: session = self.client.login(self.email, self.password) return session except ClientError as err: # 'Unknown Account' error is the only one we care about and will # cause us to throw a custom exception # https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#response-format if err.errno == 102: raise AccountNotFoundException('FxA Account Not Found') raise @property def email(self): return self.account.email @property def is_verified(self): return self.session.get_email_status()['verified']
def login(user): client = Client("https://api.accounts.firefox.com") session = client.login(user['email'], user['password'], keys=True) keyA,keyB = session.fetch_keys() info = b"identity.mozilla.com/picl/v1/oldsync" namespace = b"oldsync" keys = derive_key(secret=keyB, namespace=namespace, size=64) encryption_key = keys[0:32] hmac_key = keys[32:64] # TODO: Store this or a derived longer-lived token # Causes a login event which causes an email # TODO: Should move to use OAuth which solves the long-term cred storage # issue fxab = FxABrowserIDAuth(user['email'], user['password'], with_client_state=True) raw_resp = requests.get('https://token.services.mozilla.com/1.0/sync/1.5', auth=fxab) raw_resp.raise_for_status() hawk_resp = raw_resp.json() return { "hawk_resp": hawk_resp, "hawk_uid": hawk_resp['uid'], "hawk_hashalg": hawk_resp['hashalg'], "hawk_api_endpoint": hawk_resp['api_endpoint'], "hawk_duration": hawk_resp['duration'], "hawk_key": hawk_resp['key'], "hawk_hashed_fxa_uid": hawk_resp['hashed_fxa_uid'], "hawk_id": hawk_resp['id'], 'encryption_key': encryption_key.hex(), 'hmac_key': hmac_key.hex(), }
class FxATestAccount: """A base test class that can be extended by other tests to include utility methods.""" password = ''.join([random.choice(string.letters) for i in range(8)]) def __init__(self, url=DEV_URL): """ Creates an FxATestAccount object, which includes a verified account. :param url: The url for the api host. Defaults to DEV_URL. """ self.url = url random_string = ''.join(random.choice(string.ascii_lowercase) for _ in range(12)) email_pattern = random_string + '@{hostname}' self.account = TestEmailAccount(email=email_pattern) self.client = Client(self.url) # Create and verify the Firefox account self.session = self.client.create_account(self.account.email, self.password) print 'fxapom created an account for email: %s at %s on %s' % ( self.account.email, self.url, datetime.now()) m = self.account.wait_for_email(lambda m: "x-verify-code" in m["headers"]) if not m: raise RuntimeError("Verification email was not received") self.session.verify_email_code(m["headers"]["x-verify-code"]) def __del__(self): """ Deletes the Firefox Account that was created during __init__. """ try: self.account.clear() self.client.destroy_account(self.email, self.password) print 'fxapom deleted the account for email: %s at %s on %s' % ( self.account.email, self.url, datetime.now()) except ClientError as err: # 'Unknown Account' error is ok - account already deleted # https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#response-format if err.errno == 102: return raise def login(self): try: session = self.client.login(self.email, self.password) return session except ClientError as err: # 'Unknown Account' error is the only one we care about and will # cause us to throw a custom exception # https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#response-format if err.errno == 102: raise AccountNotFoundException('FxA Account Not Found') raise @property def email(self): return self.account.email @property def is_verified(self): return self.session.get_email_status()['verified']
def get_browserid_assertion(login, password, fxa_server_url=FXA_SERVER_URL, tokenserver_url=TOKENSERVER_URL): """Trade a user and password for a BrowserID assertion and the client state. """ client = FxAClient(server_url=fxa_server_url) session = client.login(login, password, keys=True) bid_assertion = session.get_identity_assertion(tokenserver_url) _, keyB = session.fetch_keys() return bid_assertion, hexlify(sha256(keyB).digest()[0:16])
def get_browserid_assertion(login, password, fxa_server_url=FXA_SERVER_URL, tokenserver_url=TOKENSERVER_URL): """Trade a user and password for a BrowserID assertion and the client state. """ client = FxAClient(server_url=fxa_server_url) session = client.login(login, password, keys=True) bid_assertion = session.get_identity_assertion(tokenserver_url) _, keyB = session.fetch_keys() if isinstance(keyB, six.text_type): # pragma: no cover keyB = keyB.encode('utf-8') return bid_assertion, hexlify(sha256(keyB).digest()[0:16])
class LoadTest(TestCase): server_url = 'https://api-accounts.stage.mozaws.net' def setUp(self): super(LoadTest, self).setUp() self.client = Client(APIClient(self.server_url, session=self.session)) def test_auth_server(self): # Authenticate as a new or existing user. if random.randint(0, 100) < ACCOUNT_CREATE_PERCENT: session = self._authenticate_as_new_user() else: session = self._authenticate_as_existing_user() # Fetch keys and make some number of signing requests. session.fetch_keys() session.check_session_status() session.get_random_bytes() num_sign_reqs = random.randint(SIGN_REQS_MIN, SIGN_REQS_MAX) for i in xrange(num_sign_reqs): session.sign_certificate(DUMMY_PUBLIC_KEY) # Teardown the session, and maybe the whole account. session.destroy_session() if random.randint(0, 100) < ACCOUNT_DELETE_PERCENT: self.client.destroy_account( email=session.email, stretchpwd=self._get_stretchpwd(session.email), ) def _get_stretchpwd(self, email): return hashlib.sha256(email).hexdigest() def _authenticate_as_new_user(self): # Authenticate as a brand-new user account. # Assume it doesn't exist, try to create the account. # But it's not big deal if it happens to already exist. email = "*****@*****.**" % (uniq(),) kwds = { "email": email, "stretchpwd": self._get_stretchpwd(email), "keys": True, "preVerified": True, } try: return self.client.create_account(**kwds) except fxa.errors.ClientError, e: if e.errno != ERROR_ACCOUNT_EXISTS: raise kwds.pop("preVerified") return self.client.login(**kwds)
class WeaveAccountFxA(object): """Encapsulates the cryptographic context for the OnePw account and token server.""" account_server = None token_server = None username = None password = None synckey = None client = None session = None session_keys = False def init(self, account_server, token_server, username, password): logging.debug("init()") self.account_server = account_server self.token_server = token_server self.username = username self.password = password self.client = Client(account_server) def get_session(self, keys=False): if (self.session == None or (keys and not session_keys)): if (self.session != None): session.destroy_session() self.session = self.client.login(self.username, self.password, keys=keys) self.session_keys = keys return self.session def get_auth_token(self, audience=None, keypair=None, certificate=None, synckey=None): if synckey == None: synckey = self.get_synckey() #get_session() must come after get_synckey() to make sure we have the same session object session = self.get_session() return getSyncAuthToken(session, self.token_server, synckey, audience=audience, keypair=keypair, certificate=certificate) def get_synckey(self): if self.synckey == None: self.synckey = self.get_session(True).fetch_keys()[1] return self.synckey
def login(user): """ Logs a user into their Firefox account and returns tempoary credentials for use by AuthRequest. """ # TODO: pull out the urls to be part of the config. client = Client("https://api.accounts.firefox.com") session = client.login(user['email'], user['password'], keys=True) keyA, keyB = session.fetch_keys() # Magic strings from the docs # https://moz-services-docs.readthedocs.io/en/latest/sync/storageformat5.html info = b"identity.mozilla.com/picl/v1/oldsync" namespace = b"oldsync" keys = derive_key(secret=keyB, namespace=namespace, size=64) encryption_key = keys[0:32] hmac_key = keys[32:64] # TODO: Store this or a derived longer-lived token # Causes a login event which causes an email # TODO: Should move to use OAuth which solves the long-term cred storage # issue fxab = FxABrowserIDAuth(user['email'], user['password'], with_client_state=True) raw_resp = requests.get('https://token.services.mozilla.com/1.0/sync/1.5', auth=fxab) raw_resp.raise_for_status() hawk_resp = raw_resp.json() return { "hawk_resp": hawk_resp, "hawk_uid": hawk_resp['uid'], "hawk_hashalg": hawk_resp['hashalg'], "hawk_api_endpoint": hawk_resp['api_endpoint'], "hawk_duration": hawk_resp['duration'], "hawk_key": hawk_resp['key'], "hawk_hashed_fxa_uid": hawk_resp['hashed_fxa_uid'], "hawk_id": hawk_resp['id'], 'encryption_key': encryption_key.hex(), 'hmac_key': hmac_key.hex(), }
def getFxASession(server, username, password, fetch_keys=False): client = Client(server) session = client.login(username, password, keys=fetch_keys) return session
class MozillaSync(object): """ Sync client """ def __init__(self): """ Init client """ from fxa.core import Client as FxAClient self.__fxa_client = FxAClient() def login(self, login, password): """ Login to FxA and get the keys. @param login as str @param password as str @return fxaSession """ fxaSession = self.__fxa_client.login(login, password, keys=True) fxaSession.fetch_keys() return fxaSession def connect(self, bid_assertion, key): """ Connect to sync using FxA browserid assertion @param session as fxaSession @return bundle keys as KeyBundle """ state = None if key is not None: from binascii import hexlify state = hexlify(sha256(key).digest()[0:16]) self.__client = SyncClient(bid_assertion, state) sync_keys = KeyBundle.fromMasterKey( key, "identity.mozilla.com/picl/v1/oldsync") # Fetch the sync bundle keys out of storage. # They're encrypted with the account-level key. keys = self.__decrypt_payload(self.__client.get_record("crypto", "keys"), sync_keys) # There's some provision for using separate # key bundles for separate collections # but I haven't bothered digging through # to see what that's about because # it doesn't seem to be in use, at least on my account. if keys["collections"]: print("no support for per-collection key bundles yet sorry :-(") return None # Now use those keys to decrypt the records of interest. from base64 import b64decode bulk_keys = KeyBundle(b64decode(keys["default"][0]), b64decode(keys["default"][1])) return bulk_keys def get_records(self, collection, bulk_keys): """ Return records payload @param collection as str @param bulk keys as KeyBundle @return [{}] """ records = [] for record in self.__client.get_records(collection): record["payload"] = self.__decrypt_payload(record, bulk_keys) records.append(record) return records def add(self, item, collection, bulk_keys): """ Add bookmark @param bookmark as {} @param collection as str @param bulk_keys as KeyBundle """ payload = self.__encrypt_payload(item, bulk_keys) record = {} record["modified"] = round(time(), 2) record["payload"] = payload record["id"] = item["id"] self.__client.put_record(collection, record) def get_browserid_assertion(self, session, tokenserver_url=TOKENSERVER_URL): """ Get browser id assertion and state @param session as fxaSession @return (bid_assertion, state) as (str, str) """ bid_assertion = session.get_identity_assertion(tokenserver_url) return bid_assertion, session.keys[1] @property def client(self): """ Get client """ return self.__client @property def fxa_client(self): """ Get fxa client """ return self.__fxa_client ####################### # PRIVATE # ####################### def __encrypt_payload(self, record, key_bundle): """ Encrypt payload @param record as {} @param key bundle as KeyBundle @return encrypted record payload """ from Crypto.Cipher import AES from Crypto import Random from hmac import new from base64 import b64encode plaintext = json.dumps(record).encode("utf-8") # Input strings must be a multiple of 16 in length length = 16 - (len(plaintext) % 16) plaintext += bytes([length]) * length iv = Random.new().read(16) aes = AES.new(key_bundle.encryption_key, AES.MODE_CBC, iv) ciphertext = b64encode(aes.encrypt(plaintext)) _hmac = new(key_bundle.hmac_key, ciphertext, sha256).hexdigest() payload = {"ciphertext": ciphertext.decode("utf-8"), "IV": b64encode(iv).decode("utf-8"), "hmac": _hmac} return json.dumps(payload) def __decrypt_payload(self, record, key_bundle): """ Descrypt payload @param record as str (json) @param key bundle as KeyBundle @return uncrypted record payload """ from Crypto.Cipher import AES from hmac import new from base64 import b64decode j = json.loads(record["payload"]) # Always check the hmac before decrypting anything. expected_hmac = new(key_bundle.hmac_key, j['ciphertext'].encode("utf-8"), sha256).hexdigest() if j['hmac'] != expected_hmac: raise ValueError("HMAC mismatch: %s != %s" % (j['hmac'], expected_hmac)) ciphertext = b64decode(j['ciphertext']) iv = b64decode(j['IV']) aes = AES.new(key_bundle.encryption_key, AES.MODE_CBC, iv) plaintext = aes.decrypt(ciphertext).strip().decode("utf-8") # Remove any CBC block padding, # assuming it's a well-formed JSON payload. plaintext = plaintext[:plaintext.rfind("}") + 1] return json.loads(plaintext)
class TestCoreClientSession(unittest.TestCase): server_url = TEST_SERVER_URL def setUp(self): self.client = Client(self.server_url) # Create a fresh testing account. self.acct = TestEmailAccount() self.stretchpwd = quick_stretch_password( self.acct.email, DUMMY_PASSWORD, ) self.session = self.client.create_account( email=self.acct.email, stretchpwd=self.stretchpwd, keys=True, ) # Verify the account so that we can actually use the session. m = self.acct.wait_for_email(lambda m: "x-verify-code" in m["headers"]) if not m: raise RuntimeError("Verification email was not received") self.acct.clear() self.session.verify_email_code(m["headers"]["x-verify-code"]) # Fetch the keys. self.session.fetch_keys() self.assertEqual(len(self.session.keys), 2) self.assertEqual(len(self.session.keys[0]), 32) self.assertEqual(len(self.session.keys[1]), 32) def tearDown(self): # Clean up the session and account. # This might fail if the test already cleaned it up. try: self.session.destroy_session() except fxa.errors.ClientError: pass try: self.client.destroy_account( email=self.acct.email, stretchpwd=self.stretchpwd, ) except fxa.errors.ClientError: pass self.acct.clear() def test_session_status(self): self.session.check_session_status() self.session.destroy_session() with self.assertRaises(fxa.errors.ClientError): self.session.check_session_status() def test_email_status(self): status = self.session.get_email_status() self.assertTrue(status["verified"]) def test_get_random_bytes(self): b1 = self.session.get_random_bytes() b2 = self.session.get_random_bytes() self.assertTrue(isinstance(b1, binary_type)) self.assertNotEqual(b1, b2) def test_sign_certificate(self): email = self.acct.email pubkey = browserid.tests.support.get_keypair(email)[0] cert = self.session.sign_certificate(pubkey) issuer = browserid.utils.decode_json_bytes(cert.split(".")[1])["iss"] expected_issuer = urlparse(self.client.server_url).hostname self.assertEqual(issuer, expected_issuer) def test_sign_certificate_handles_duration(self): email = self.acct.email pubkey = browserid.tests.support.get_keypair(email)[0] millis = int(round(time.time() * 1000)) cert = self.session.sign_certificate(pubkey, duration=4000) cert_exp = browserid.utils.decode_json_bytes(cert.split(".")[1])["exp"] ttl = round(float(cert_exp - millis) / 1000) self.assertGreaterEqual(ttl, 2) self.assertLessEqual(ttl, 30) def test_change_password(self): # Change the password. newpwd = mutate_one_byte(DUMMY_PASSWORD) self.stretchpwd = quick_stretch_password(self.acct.email, newpwd) self.session.change_password(DUMMY_PASSWORD, newpwd) # Check that we can use the new password. session2 = self.client.login(self.acct.email, newpwd, keys=True) if not session2.get_email_status().get("verified"): def has_verify_code(m): return "x-verify-code" in m["headers"] m = self.acct.wait_for_email(has_verify_code) if not m: raise RuntimeError("Verification email was not received") self.acct.clear() session2.verify_email_code(m["headers"]["x-verify-code"]) # Check that encryption keys have been preserved. session2.fetch_keys() self.assertEquals(self.session.keys, session2.keys) def test_get_identity_assertion(self): assertion = self.session.get_identity_assertion("http://example.com") data = browserid.verify(assertion, audience="http://example.com") self.assertEquals(data["status"], "okay") expected_issuer = urlparse(self.session.server_url).hostname self.assertEquals(data["issuer"], expected_issuer) expected_email = "{0}@{1}".format(self.session.uid, expected_issuer) self.assertEquals(data["email"], expected_email) def test_get_identity_assertion_handles_duration(self): millis = int(round(time.time() * 1000)) bid_assertion = self.session.get_identity_assertion( "http://example.com", 1234) cert, assertion = browserid.utils.unbundle_certs_and_assertion( bid_assertion) cert = jwt.parse(cert[0]).payload assertion = jwt.parse(assertion).payload # Validate cert expiry ttl = round(float(cert['exp'] - millis) / 1000) self.assertGreaterEqual(ttl, 1230) self.assertLessEqual(ttl, 1260) # Validate assertion expiry ttl = round(float(assertion['exp'] - millis) / 1000) self.assertGreaterEqual(ttl, 1230) self.assertLessEqual(ttl, 1260) def test_get_identity_assertion_accepts_service(self): # We can't observe any side-effects of sending the service query param, # but we can test that it doesn't error out. assertion = self.session.get_identity_assertion("http://example.com", service="test-me") data = browserid.verify(assertion, audience="http://example.com") self.assertEquals(data["status"], "okay") def test_totp(self): resp = self.session.totp_create() # Double create causes a client error with self.assertRaises(fxa.errors.ClientError): self.session.totp_create() # Created but not verified returns false (and deletes the token) self.assertFalse(self.session.totp_exists()) # Creating again should work this time resp = self.session.totp_create() # Verify the code code = pyotp.TOTP(resp["secret"]).now() self.assertTrue(self.session.totp_verify(code)) self.assertTrue(self.session.verified) # Should exist now self.assertTrue(self.session.totp_exists()) # Remove the code resp = self.session.totp_delete() # And now should not exist self.assertFalse(self.session.totp_exists())
class LoadTest(TestCase): server_url = 'https://api-accounts.stage.mozaws.net' def setUp(self): super(LoadTest, self).setUp() self.client = Client(APIClient(self.server_url, session=self.session)) def _pick(self, *choices): """Pick one from a list of (item, weighting) options.""" sum_weights = sum(choice[1] for choice in choices) remainder = random.randint(0, sum_weights - 1) for choice, weight in choices: remainder -= weight if remainder < 0: return choice assert False, "somehow failed to pick from {}".format(choices) def _perc(self, percent): """Decide whether to do something, given desired percentage of runs.""" return random.randint(0, 99) < percent def test_auth_server(self): """Top-level method to run a randomly-secleted auth-server test.""" which_test = self._pick( (self.test_login_session_flow, PERCENT_TEST_LOGIN), (self.test_password_reset_flow, PERCENT_TEST_RESET), (self.test_password_change_flow, PERCENT_TEST_CHANGE), (self.test_support_doc_flow, PERCENT_TEST_SUPPORTDOC), ) which_test() def test_login_session_flow(self): """Do a full login-flow with cert signing etc.""" # Login as either a new or existing user. if self._perc(PERCENT_LOGIN_CREATE): session = self._authenticate_as_new_user() can_delete = True else: session = self._authenticate_as_existing_user() can_delete = False try: # Do a whole lot of account status polling. n_poll_reqs = random.randint(LOGIN_POLL_REQS_MIN, LOGIN_POLL_REQS_MAX) for i in xrange(n_poll_reqs): session.get_email_status() # Always fetch the keys. session.fetch_keys() # Sometimes check the session status. if self._perc(PERCENT_LOGIN_STATUS): session.check_session_status() # Sometimes get some random bytes. if self._perc(PERCENT_LOGIN_RANDBYTES): session.get_random_bytes() # Always do some number of signing requests. n_sign_reqs = random.randint(LOGIN_SIGN_REQS_MIN, LOGIN_SIGN_REQS_MAX) for i in xrange(n_sign_reqs): session.sign_certificate(DUMMY_PUBLIC_KEY) # Sometimes tear down the session. if self._perc(PERCENT_LOGIN_TEARDOWN): session.destroy_session() except fxa.errors.ClientError as e: # There's a small chance this could fail due to concurrent # password change destroying the session token. if e.errno != ERROR_INVALID_TOKEN: raise # Sometimes destroy the account. if can_delete: if self._perc(PERCENT_LOGIN_CREATE_DESTROY): self.client.destroy_account( email=session.email, stretchpwd=self._get_stretchpwd(session.email), ) def _get_stretchpwd(self, email): return hashlib.sha256(email).hexdigest() def _get_new_user_email(self): uid = uniq() return "loads-fxa-{}[email protected]".format(uid) def _get_existing_user_email(self): uid = random.randint(1, 999) return "loads-fxa-{}[email protected]".format(uid) def _authenticate_as_new_user(self): # Authenticate as a brand-new user account. # Assume it doesn't exist, and try to create the account. # But it's not big deal if it happens to already exist. email = self._get_new_user_email() kwds = { "email": email, "stretchpwd": self._get_stretchpwd(email), "keys": True, "preVerified": True, } try: session = self.client.create_account(**kwds) except fxa.errors.ClientError as e: if e.errno != ERROR_ACCOUNT_EXISTS: raise kwds.pop("preVerified") session = self.client.login(**kwds) # Sometimes resend the confirmation email. if self._perc(PERCENT_LOGIN_CREATE_RESEND): session.resend_email_code() # Sometimes (pretend to) verify the confirmation code. if self._perc(PERCENT_LOGIN_CREATE_VERIFY): try: session.verify_email_code(uniq(32)) except fxa.errors.ClientError as e: if e.errno != ERROR_INVALID_CODE: raise return session def _authenticate_as_existing_user(self): # Authenticate as an existing user account. # We select from a small pool of known accounts, creating it # if it does not exist. This should mean that all the accounts # are created quickly at the start of the loadtest run. email = self._get_existing_user_email() kwds = { "email": email, "stretchpwd": self._get_stretchpwd(email), "keys": True, } try: return self.client.login(**kwds) except fxa.errors.ClientError as e: if e.errno != ERROR_UNKNOWN_ACCOUNT: raise kwds["preVerified"] = True # Account creation might likewise fail due to a race. try: return self.client.create_account(**kwds) except fxa.errors.ClientError as e: if e.errno != ERROR_ACCOUNT_EXISTS: raise # Assume a normal login will now succeed. kwds.pop("preVerified") return self.client.login(**kwds) def test_password_reset_flow(self): email = self._get_existing_user_email() pft = self.client.send_reset_code(email) # XXX TODO: how to get the reset code? # I don't want to actually poll restmail during a loadtest... pft.get_status() try: pft.verify_code("0" * 32) except fxa.errors.ClientError as e: if e.errno != ERROR_INVALID_CODE: raise pft.get_status() def test_password_change_flow(self): email = self._get_existing_user_email() stretchpwd = self._get_stretchpwd(email) try: self.client.change_password( email, oldstretchpwd=stretchpwd, newstretchpwd=stretchpwd, ) except fxa.errors.ClientError as e: if e.errno != ERROR_UNKNOWN_ACCOUNT: raise # Create the "existing" account if it doens't yet exist. kwds = { "email": email, "stretchpwd": stretchpwd, "preVerified": True, } try: self.client.create_account(**kwds) except fxa.errors.ClientError as e: if e.errno != ERROR_UNKNOWN_ACCOUNT: raise else: self.client.change_password( email, oldstretchpwd=stretchpwd, newstretchpwd=stretchpwd, ) def test_support_doc_flow(self): base_url = self.server_url[:-3] self.session.get(base_url + "/.well-known/browserid")
class TestCoreClient(unittest.TestCase): server_url = TEST_SERVER_URL def setUp(self): self.client = Client(self.server_url) self._accounts_to_delete = [] def tearDown(self): for acct in self._accounts_to_delete: acct.clear() try: stretchpwd = acct.stretchpwd except AttributeError: try: password = acct.password stretchpwd = quick_stretch_password(acct.email, password) except AttributeError: stretchpwd = DUMMY_STRETCHED_PASSWORD self.client.destroy_account(acct.email, stretchpwd=stretchpwd) def test_account_creation(self): acct = TestEmailAccount() acct.password = DUMMY_PASSWORD session = self.client.create_account(acct.email, DUMMY_PASSWORD) self._accounts_to_delete.append(acct) self.assertEqual(session.email, acct.email) self.assertFalse(session.verified) self.assertEqual(session.keys, None) self.assertEqual(session._key_fetch_token, None) with self.assertRaises(Exception): session.fetch_keys() def test_account_creation_with_key_fetch(self): acct = TestEmailAccount() session = self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, keys=True, ) self._accounts_to_delete.append(acct) self.assertEqual(session.email, acct.email) self.assertFalse(session.verified) self.assertEqual(session.keys, None) self.assertNotEqual(session._key_fetch_token, None) def test_account_login(self): acct = TestEmailAccount() session1 = self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self._accounts_to_delete.append(acct) session2 = self.client.login( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self.assertEqual(session1.email, session2.email) self.assertNotEqual(session1.token, session2.token) def test_get_random_bytes(self): b1 = self.client.get_random_bytes() b2 = self.client.get_random_bytes() self.assertTrue(isinstance(b1, binary_type)) self.assertNotEqual(b1, b2) def test_resend_verify_code(self): acct = TestEmailAccount() session = self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self._accounts_to_delete.append(acct) def is_verify_email(m): return "x-verify-code" in m["headers"] m1 = acct.wait_for_email(is_verify_email) code1 = m1["headers"]["x-verify-code"] # NOQA acct.clear() session.resend_email_code() # XXX TODO: this won't work against a live server because we # refuse to send duplicate emails within a short timespan. # m2 = acct.wait_for_email(is_verify_email) # code2 = m2["headers"]["x-verify-code"] # self.assertNotEqual(m1, m2) # self.assertEqual(code1, code2) def test_forgot_password_flow(self): acct = TestEmailAccount() self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self._accounts_to_delete.append(acct) # Initiate the password reset flow, and grab the verification code. pftok = self.client.send_reset_code(acct.email, service="foobar") m = acct.wait_for_email(lambda m: "x-recovery-code" in m["headers"]) if not m: raise RuntimeError("Password reset email was not received") acct.clear() code = m["headers"]["x-recovery-code"] # Try with an invalid code to test error handling. tries = pftok.tries_remaining self.assertTrue(tries > 1) with self.assertRaises(Exception): pftok.verify_code(mutate_one_byte(code)) pftok.get_status() self.assertEqual(pftok.tries_remaining, tries - 1) # Re-send the code, as if we've lost the email. pftok.resend_code() m = acct.wait_for_email(lambda m: "x-recovery-code" in m["headers"]) if not m: raise RuntimeError("Password reset email was not received") self.assertEqual(m["headers"]["x-recovery-code"], code) # Now verify with the actual code, and reset the account. artok = pftok.verify_code(code) self.client.reset_account( email=acct.email, token=artok, stretchpwd=DUMMY_STRETCHED_PASSWORD ) def test_email_code_verification(self): self.client = Client(self.server_url) # Create a fresh testing account. self.acct = TestEmailAccount() self.client.create_account( email=self.acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) def wait_for_email(m): return "x-uid" in m["headers"] and "x-verify-code" in m["headers"] m = self.acct.wait_for_email(wait_for_email) if not m: raise RuntimeError("Verification email was not received") # If everything went well, verify_email_code should return an empty json object response = self.client.verify_email_code(m["headers"]["x-uid"], m["headers"]["x-verify-code"]) self.assertEquals(response, {}) def test_send_unblock_code(self): acct = TestEmailAccount(email="block-{uniq}@{hostname}") self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self._accounts_to_delete.append(acct) # Initiate sending unblock code response = self.client.send_unblock_code(acct.email) self.assertEquals(response, {}) m = acct.wait_for_email(lambda m: "x-unblock-code" in m["headers"]) if not m: raise RuntimeError("Unblock code email was not received") code = m["headers"]["x-unblock-code"] self.assertTrue(len(code) > 0) self.client.login( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, unblock_code=code )
class TestCoreClientSession(unittest.TestCase): server_url = TEST_SERVER_URL def setUp(self): self.client = Client(self.server_url) # Create a fresh testing account. self.acct = TestEmailAccount() self.stretchpwd = quick_stretch_password( self.acct.email, DUMMY_PASSWORD, ) self.session = self.client.create_account( email=self.acct.email, stretchpwd=self.stretchpwd, keys=True, ) # Verify the account so that we can actually use the session. m = self.acct.wait_for_email(lambda m: "x-verify-code" in m["headers"]) if not m: raise RuntimeError("Verification email was not received") self.session.verify_email_code(m["headers"]["x-verify-code"]) # Fetch the keys. self.session.fetch_keys() self.assertEqual(len(self.session.keys), 2) self.assertEqual(len(self.session.keys[0]), 32) self.assertEqual(len(self.session.keys[1]), 32) def tearDown(self): # Clean up the session and account. # This might fail if the test already cleaned it up. try: self.session.destroy_session() except fxa.errors.ClientError: pass try: self.client.destroy_account( email=self.acct.email, stretchpwd=self.stretchpwd, ) except fxa.errors.ClientError: pass self.acct.clear() def test_session_status(self): self.session.check_session_status() self.session.destroy_session() with self.assertRaises(fxa.errors.ClientError): self.session.check_session_status() def test_email_status(self): status = self.session.get_email_status() self.assertTrue(status["verified"]) def test_get_random_bytes(self): b1 = self.session.get_random_bytes() b2 = self.session.get_random_bytes() self.assertTrue(isinstance(b1, six.binary_type)) self.assertNotEqual(b1, b2) def test_sign_certificate(self): email = self.acct.email pubkey = browserid.tests.support.get_keypair(email)[0] cert = self.session.sign_certificate(pubkey) issuer = browserid.utils.decode_json_bytes(cert.split(".")[1])["iss"] expected_issuer = urlparse.urlparse(self.client.server_url).hostname self.assertEqual(issuer, expected_issuer) def test_change_password(self): # Change the password. newpwd = mutate_one_byte(DUMMY_PASSWORD) self.stretchpwd = quick_stretch_password(self.acct.email, newpwd) self.session.change_password(DUMMY_PASSWORD, newpwd) # Check that we can use the new password. session2 = self.client.login(self.acct.email, newpwd, keys=True) # Check that encryption keys have been preserved. session2.fetch_keys() self.assertEquals(self.session.keys, session2.keys)
class FxATiming(object): server_url = 'https://api-accounts.stage.mozaws.net/v1' def __init__(self, server_url=None): if server_url is None: server_url = self.server_url self.session = requests.Session() apiclient = APIClient(self.server_url, session=self.session) self.client = Client(apiclient) # setup to capture req/res timings self._patch_send() self._patch_getresponse() self.timing_data = {} self.current_uri = () self.current_start = 0 # hook into http request for timing def _patch_send(self): old_send = httplib.HTTPConnection.send def new_send(context, data): self.current_start = time.time() lines = data.split('\r\n') [method, path, proto] = re.split('\s+', lines.pop(0)) path = urlparse(path).path headers = {} for line in lines: if len(line) == 0: break [key, val] = line.split(': ') headers[key.lower()] = val request = (headers['host'], method, path) self.current_uri = request if self.current_uri not in self.timing_data: self.timing_data[self.current_uri] = { 'times': [], 'codes': [] } log_request(data) req = old_send(context, data) return req httplib.HTTPConnection.send = new_send # hook into http response for timing def _patch_getresponse(self): old_getresponse = httplib.HTTPConnection.getresponse def new_getresponse(context): res = old_getresponse(context) elapsed = time.time() - self.current_start log_response(res) self.timing_data[self.current_uri]['times'].append(elapsed) self.timing_data[self.current_uri]['codes'].append(res.status) self.current_uri = () self.current_start = 0 return res httplib.HTTPConnection.getresponse = new_getresponse def _get_stretchpwd(self, email): return hashlib.sha256(email).hexdigest() def _get_user_email(self): uid = uniq() self.user_email = "fxa-timing-{}@restmail.net".format(uid) return self.user_email def _get_existing_user_email(self): uid = random.randint(1, 999) return "loads-fxa-{}[email protected]".format(uid) def dump_requests(self): for k, v in self.timing_data.items(): if k[0] == 'restmail.net': continue args = (k[0], k[1], k[2], v['codes'][0], v['times'][0]) print "%s %-4s %-32s %3d %.4f" % args def run(self): self.login_session_flow() # self.password_reset_flow() self.dump_requests() def login_session_flow(self): """Do a full login-flow with cert signing etc.""" # Login as a new user. session = self._authenticate_as_new_user() session.get_email_status() session.fetch_keys() session.check_session_status() session.get_random_bytes() session.sign_certificate(DUMMY_PUBLIC_KEY) base_url = self.server_url[:-3] self.session.get(base_url + "/.well-known/browserid") stretchpwd = self._get_stretchpwd(session.email) self.client.change_password( session.email, oldstretchpwd=stretchpwd, newstretchpwd=stretchpwd, ) kwds = { "email": session.email, "stretchpwd": stretchpwd, "keys": True } session = self.client.login(**kwds) pftok = self.client.send_reset_code(session.email) pftok.get_status() # verify the password forgot code. acct = Restmail(email=session.email) mail = acct.wait_for_email(lambda m: "x-recovery-code" in m["headers"]) if not mail: raise RuntimeError("Password reset email was not received") acct.clear() code = mail["headers"]["x-recovery-code"] # Now verify with the actual code, and reset the account. artok = pftok.verify_code(code) self.client.reset_account( email=session.email, token=artok, stretchpwd=stretchpwd ) session = self.client.login(**kwds) session.destroy_session() self.client.destroy_account(email=session.email, stretchpwd=stretchpwd) def _authenticate_as_new_user(self): email = self._get_user_email() stretchpwd = self._get_stretchpwd(email) kwds = { "email": email, "stretchpwd": stretchpwd, "keys": True } session = self.client.create_account(**kwds) # resend the confirmation email. session.resend_email_code() # verify the confirmation code. acct = Restmail(email=email) mail = acct.wait_for_email(lambda m: "x-verify-code" in m["headers"]) if not mail: raise RuntimeError("Verification email was not received") acct.clear() session.verify_email_code(mail["headers"]["x-verify-code"]) return self.client.login(**kwds)
import hmac config_file_name = 'config.test.ini' config = ConfigParser() config.read(config_file_name) hawk_resp = None encryption_key = None hmac_key = None if 'hawk' not in config or 'fxa' not in config: user = config['user'] client = Client("https://api.accounts.firefox.com") session = client.login(user['email'], user['password'], keys=True) keyA, keyB = session.fetch_keys() info = b"identity.mozilla.com/picl/v1/oldsync" namespace = b"oldsync" keys = derive_key(secret=keyB, namespace=namespace, size=64) encryption_key = keys[0:32] hmac_key = keys[32:64] # TODO: Store this or a derived longer-lived token # Causes a login event which causes an email fxab = FxABrowserIDAuth(user['email'], user['password'], with_client_state=True) raw_resp = requests.get('https://token.services.mozilla.com/1.0/sync/1.5',
class TestCoreClient(unittest.TestCase): server_url = TEST_SERVER_URL def setUp(self): self.client = Client(self.server_url) self._accounts_to_delete = [] def tearDown(self): for acct in self._accounts_to_delete: acct.clear() try: stretchpwd = acct.stretchpwd except AttributeError: try: password = acct.password stretchpwd = quick_stretch_password(acct.email, password) except AttributeError: stretchpwd = DUMMY_STRETCHED_PASSWORD self.client.destroy_account(acct.email, stretchpwd=stretchpwd) def test_account_creation(self): acct = TestEmailAccount() acct.password = DUMMY_PASSWORD session = self.client.create_account(acct.email, DUMMY_PASSWORD) self._accounts_to_delete.append(acct) self.assertEqual(session.email, acct.email) self.assertFalse(session.verified) self.assertEqual(session.keys, None) self.assertEqual(session._key_fetch_token, None) with self.assertRaises(Exception): session.fetch_keys() def test_account_creation_with_key_fetch(self): acct = TestEmailAccount() session = self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, keys=True, ) self._accounts_to_delete.append(acct) self.assertEqual(session.email, acct.email) self.assertFalse(session.verified) self.assertEqual(session.keys, None) self.assertNotEqual(session._key_fetch_token, None) def test_account_login(self): acct = TestEmailAccount() session1 = self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self._accounts_to_delete.append(acct) session2 = self.client.login( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self.assertEqual(session1.email, session2.email) self.assertNotEqual(session1.token, session2.token) def test_get_random_bytes(self): b1 = self.client.get_random_bytes() b2 = self.client.get_random_bytes() self.assertTrue(isinstance(b1, six.binary_type)) self.assertNotEqual(b1, b2) def test_resend_verify_code(self): acct = TestEmailAccount() session = self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self._accounts_to_delete.append(acct) is_verify_email = lambda m: "x-verify-code" in m["headers"] m1 = acct.wait_for_email(is_verify_email) code1 = m1["headers"]["x-verify-code"] # NOQA acct.clear() session.resend_email_code() # XXX TODO: this won't work against a live server because we # refuse to send duplicate emails within a short timespan. # m2 = acct.wait_for_email(is_verify_email) # code2 = m2["headers"]["x-verify-code"] # self.assertNotEqual(m1, m2) # self.assertEqual(code1, code2) def test_forgot_password_flow(self): acct = TestEmailAccount() self.client.create_account( email=acct.email, stretchpwd=DUMMY_STRETCHED_PASSWORD, ) self._accounts_to_delete.append(acct) # Initiate the password reset flow, and grab the verification code. pftok = self.client.send_reset_code(acct.email, service="foobar") m = acct.wait_for_email(lambda m: "x-recovery-code" in m["headers"]) if not m: raise RuntimeError("Password reset email was not received") acct.clear() code = m["headers"]["x-recovery-code"] # Try with an invalid code to test error handling. tries = pftok.tries_remaining self.assertTrue(tries > 1) with self.assertRaises(Exception): pftok.verify_code(mutate_one_byte(code)) pftok.get_status() self.assertEqual(pftok.tries_remaining, tries - 1) # Re-send the code, as if we've lost the email. pftok.resend_code() m = acct.wait_for_email(lambda m: "x-recovery-code" in m["headers"]) if not m: raise RuntimeError("Password reset email was not received") self.assertEqual(m["headers"]["x-recovery-code"], code) # Now verify with the actual code, and reset the account. artok = pftok.verify_code(code) self.client.reset_account(email=acct.email, token=artok, stretchpwd=DUMMY_STRETCHED_PASSWORD)