def test_authenticate_invalid(self): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') otheruser = User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) # an invalid request fourth_request = self.create_mock_request_for_header( 'Digest blah blah blah') # an invalid request fifth_request = self.create_mock_request_for_header(None) # an invalid nonce sixth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=1, nonce=python_digest.calculate_nonce(time.time(), secret='bad secret')) # an invalid request digest (wrong password) seventh_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) # attack attempts / failures don't invalidate the session or increment nonce_cont eighth_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) eighth_request.user = testuser # mismatched URI ninth_request = self.create_mock_request( username=testuser.username, nonce=nonce, password='******', nonce_count=4, request_path='/different/path') # stale nonce tenth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=4, nonce=python_digest.calculate_nonce( time.time()-60000, secret=settings.SECRET_KEY)) # once the nonce is used by one user, can't be reused by another eleventh_request = self.create_mock_request( username=otheruser.username, password='******', nonce=nonce, nonce_count=4) authenticator = HttpDigestAuthenticator() with self.mocker: self.assertFalse(authenticator.authenticate(fourth_request)) self.assertFalse(authenticator.authenticate(fifth_request)) self.assertFalse(authenticator.authenticate(sixth_request)) self.assertFalse(authenticator.authenticate(seventh_request)) self.assertTrue(authenticator.authenticate(eighth_request)) self.assertFalse(authenticator.authenticate(ninth_request)) self.assertFalse(authenticator.authenticate(tenth_request)) self.assertFalse(authenticator.authenticate(eleventh_request))
def test_authenticate_nonce(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') otheruser = User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() with self.mocker: self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials( first_request )) with transaction.commit_on_success(): self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request))
def test_authenticate_nonce(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() with self.mocker: self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials( first_request )) with transaction.commit_on_success(): self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request))
def test_authenticate_missing(self): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') User.objects.create_user(username='******', email='*****@*****.**', password='******') python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) # if the partial digest is not in the DB, authentication fails twelfth_request = self.create_mock_request(username=testuser.username, password='******', nonce_count=3) authenticator = HttpDigestAuthenticator() PartialDigest.objects.all().delete() self.assertFalse(authenticator.authenticate(twelfth_request))
def _get_http_auth_header(username, password, uri): return build_authorization_request( username, 'GET', uri, 3, nonce=calculate_nonce(time.time(), settings.SECRET_KEY), realm='DJANGO', opaque='myopaque', password=password, )
def test_authenticate_nonce(self): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce = python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() assert 'HTTP_AUTHORIZATION' in first_request.META assert python_digest.is_digest_credential( first_request.META['HTTP_AUTHORIZATION']) self.assertTrue( HttpDigestAuthenticator.contains_digest_credentials(first_request)) transaction.set_autocommit(False) self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request)) transaction.commit() transaction.set_autocommit(True)
def create_mock_request(self, username='******', realm=None, method='GET', uri='/dummy/uri', nonce=None, request_digest=None, algorithm=None, opaque='dummy-opaque', qop='auth', nonce_count=1, client_nonce=None, password='******', request_path=None): if not realm: realm = get_setting('DIGEST_REALM', DEFAULT_REALM) if not nonce: nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) if not request_path: request_path = uri header = python_digest.build_authorization_request( username=username, realm=realm, method=method, uri=uri, nonce=nonce, opaque=opaque, nonce_count=nonce_count, password=password, request_digest=request_digest, client_nonce=client_nonce) request = self.create_mock_request_for_header(header) expect(request.method).result(method) expect(request.path).result(request_path) return request
def test_disable_nonce_count_enforcement(self): with patch(settings, DIGEST_ENFORCE_NONCE_COUNT=False): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will succeed second_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce) second_request.user = testuser authenticator = HttpDigestAuthenticator() self.assertTrue(authenticator.authenticate(first_request)) self.assertTrue(authenticator.authenticate(second_request))
def test_disable_nonce_count_enforcement(self): with patch(settings, DIGEST_ENFORCE_NONCE_COUNT=False): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce = python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will succeed second_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce) second_request.user = testuser authenticator = HttpDigestAuthenticator() self.assertTrue(authenticator.authenticate(first_request)) self.assertTrue(authenticator.authenticate(second_request))
def test_authenticate_nonce(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() assert 'HTTP_AUTHORIZATION' in first_request.META assert python_digest.is_digest_credential(first_request.META['HTTP_AUTHORIZATION']) self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials( first_request )) transaction.set_autocommit(False) self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request)) transaction.commit() transaction.set_autocommit(True)
def test_authenticate(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') otheruser = User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser # an invalid request fourth_request = self.create_mock_request_for_header( 'Digest blah blah blah') # an invalid request fifth_request = self.create_mock_request_for_header(None) # an invalid nonce sixth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=1, nonce=python_digest.calculate_nonce(time.time(), secret='bad secret')) # an invalid request digest (wrong password) seventh_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) # attack attempts / failures don't invalidate the session or increment nonce_cont eighth_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) eighth_request.user = testuser # mismatched URI ninth_request = self.create_mock_request( username=testuser.username, nonce=nonce, password='******', nonce_count=4, request_path='/different/path') # stale nonce tenth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=4, nonce=python_digest.calculate_nonce( time.time()-60000, secret=settings.SECRET_KEY)) # once the nonce is used by one user, can't be reused by another eleventh_request = self.create_mock_request( username=otheruser.username, password='******', nonce=nonce, nonce_count=4) # if the partial digest is not in the DB, authentication fails twelfth_request = self.create_mock_request(username=testuser.username, password='******', nonce_count=3) # a request for Basic auth thirteenth_request = self.create_mock_request_for_header( 'Basic YmxhaDpibGFo') authenticator = HttpDigestAuthenticator() with self.mocker: self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(first_request)) self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) self.assertTrue(authenticator.authenticate(third_request)) self.assertFalse(authenticator.authenticate(fourth_request)) self.assertFalse(authenticator.authenticate(fifth_request)) self.assertFalse(authenticator.authenticate(sixth_request)) self.assertFalse(authenticator.authenticate(seventh_request)) self.assertTrue(authenticator.authenticate(eighth_request)) self.assertFalse(authenticator.authenticate(ninth_request)) self.assertFalse(authenticator.authenticate(tenth_request)) self.assertFalse(authenticator.authenticate(eleventh_request)) PartialDigest.objects.all().delete() self.assertFalse(authenticator.authenticate(twelfth_request)) self.assertFalse(authenticator.authenticate(thirteenth_request))