def test_login_gssapi_principal_needs_keytab(requests_session): """Login with gssapi method raises if principal is provided without keytab.""" hub_url = "https://hub.example.com/myapp/endpoint" conf = PyConfigParser() conf.load_from_dict( { "HUB_URL": hub_url, "AUTH_METHOD": "gssapi", "KRB_PRINCIPAL": "*****@*****.**", } ) transport = FakeTransport() logger = mock.Mock() proxy = HubProxy(conf, transport=transport, logger=logger) proxy._login(force=True) # This is pretty dumb: login() swallows all exceptions (probably for no good reason). # The only hint there was a problem is a DEBUG log message, so we detect the error # that way. logger.debug.assert_called_with( "Failed to create new session: Cannot specify a principal without a keytab" )
def test_no_auto_logout(requests_session): """auto_logout argument warns of deprecation""" conf = PyConfigParser() conf.load_from_dict({"HUB_URL": 'https://example.com/hub'}) transport = FakeTransport() with pytest.deprecated_call(): HubProxy(conf, transport=transport, auto_logout=True)
def test_login_gssapi_krb_opts(requests_session): """Login with gssapi method prepares auth using correct gssapi parameters according to config.""" hub_url = "https://hub.example.com/myapp/endpoint" login_url = "https://hub.example.com/myapp/auth/krb5login/" conf = PyConfigParser() conf.load_from_dict({ "HUB_URL": hub_url, "AUTH_METHOD": "gssapi", "CA_CERT": "/some/ca-bundle.pem", "KRB_PRINCIPAL": "*****@*****.**", "KRB_SERVICE": "SVC", "KRB_REALM": "REALM.EXAMPLE.COM", "KRB_KEYTAB": "some-keytab", "KRB_CCACHE": "some-cache", }) transport = FakeTransport() proxy = HubProxy(conf, transport=transport) mock_get = requests_session.return_value.get calls_before = len(mock_get.mock_calls) with mock.patch("requests_gssapi.HTTPSPNEGOAuth") as mock_auth: with mock.patch("gssapi.Credentials") as mock_creds: # Force a login proxy._login(force=True) get_call = mock_get.mock_calls[calls_before] # It should have prepared credentials with the details from config mock_creds.assert_called_once_with( name=gssapi.Name("*****@*****.**", gssapi.NameType.kerberos_principal), store={ "client_keytab": "some-keytab", "ccache": "FILE:some-cache" }, usage="initiate", ) # It should have prepared auth with those credentials and our configured # server principal mock_auth.assert_called_once_with( creds=mock_creds.return_value, target_name=gssapi.Name("SVC/[email protected]", gssapi.NameType.kerberos_principal), ) # It should have used the configured CA bundle when issuing the request assert get_call[2]["verify"] == "/some/ca-bundle.pem"
def test_proxies_to_xmlrpc(requests_session): """HubProxy proxies to underlying XML-RPC ServerProxy""" conf = PyConfigParser() conf.load_from_dict({"HUB_URL": 'https://example.com/hub'}) transport = FakeTransport() proxy = HubProxy(conf, transport=transport) proxy.some_obj.some_method() # Last call should have invoked the method I requested (_, request_xml) = transport.fake_transport_calls[-1] assert b'some_obj.some_method' in request_xml
def test_login_gssapi(requests_session): """Login with gssapi method obtains session cookie via SPNEGO & krb5login.""" hub_url = "https://example.com/myapp/endpoint" login_url = "https://example.com/myapp/auth/krb5login/" conf = PyConfigParser() conf.load_from_dict({ "HUB_URL": hub_url, "AUTH_METHOD": "gssapi", }) transport = FakeTransport() proxy = HubProxy(conf, transport=transport) # Proxy might have already done some calls during initialization. # We're trying to test login in isolation, so keep track of how many # mock calls there have been already. mock_get = requests_session.return_value.get calls_before = len(mock_get.mock_calls) # Force a login proxy._login(force=True) # Cookies should have been shared between session and transport assert requests_session.return_value.cookies is transport.cookiejar # Check the requests done calls = mock_get.mock_calls[calls_before:] assert calls[0][0] == "" call_args = calls[0][1] call_kwargs = calls[0][2] # It should have made a request to log in assert call_args == (login_url, ) # It should have enabled SPNEGO auth. # More details about this object are verified in a separate test. assert "HTTPSPNEGOAuth" in str(type(call_kwargs["auth"])) # It should have verified the result assert calls[1][0] == "().raise_for_status" # And that's all assert len(calls) == 2