def test_authentication_failures(self):
# sending a request without any authentication header should result in
# a 401 Unauthorized response.
self.app.get(TOKEN_URI, status=401)
# sending a request with a broken authentication header should return a
# 401 as well
headers = {'Authorization': 'VELOCIRAPTOR'}
self.app.get(TOKEN_URI, headers=headers, status=401)
# the authentication should be browserid
headers = {'Authorization': 'Basic-Auth alexis:alexis'}
res = self.app.get(TOKEN_URI, headers=headers, status=401)
self.assertTrue('WWW-Authenticate' in res.headers)
self.assertEqual(res.headers['WWW-Authenticate'], 'BrowserID ')
# if the headers are good but the given assertion is not valid, a 401
# should be raised as well.
wrong_assertion = get_assertion(DEFAULT_EMAIL, bad_issuer_cert=True)
headers = {'Authorization': 'BrowserID %s' % wrong_assertion}
res = self.app.get(TOKEN_URI, headers=headers, status=401)
# test the different cases of bad assertions.
assertion = get_assertion('*****@*****.**',
bad_issuer_cert=True)
headers = {'Authorization': 'BrowserID %s' % assertion}
res = self.app.get(TOKEN_URI, headers=headers, status=401)
assertion = get_assertion('*****@*****.**',
issuer='loadtest.local')
res = self.app.get(TOKEN_URI, headers=headers, status=401)
assertion = get_assertion('*****@*****.**',
exp=int(time.time() - 60) * 1000)
res = self.app.get(TOKEN_URI, headers=headers, status=401)
def test_assertion_verification(self):
# giving a valid assertion should return True
worker = get_crypto_worker(MockCryptoWorker, memory_ttl=100)
verifier = PowerHoseVerifier(runner=PurePythonRunner(worker),
audiences=('*', ))
self.assertTrue(verifier.verify(get_assertion(DEFAULT_EMAIL)))
# An assertion not signed with the root issuer certificate should
# fail.
with self.assertRaises(InvalidSignatureError):
verifier.verify(get_assertion(DEFAULT_EMAIL, bad_issuer_cert=True))
def test_assertion_verification(self):
# giving a valid assertion should return True
worker = get_crypto_worker(MockCryptoWorker, memory_ttl=100)
verifier = PowerHoseVerifier(runner=PurePythonRunner(worker),
audiences=('*',))
self.assertTrue(verifier.verify(get_assertion(DEFAULT_EMAIL)))
# An assertion not signed with the root issuer certificate should
# fail.
self.assertRaises(InvalidSignatureError, verifier.verify,
get_assertion(DEFAULT_EMAIL, bad_issuer_cert=True))
def generate_assertions():
in_one_day = int(time.time() + 60 * 60 * 24) * 1000
stream = 'VALID_ASSERTION = "%s"\n' % \
get_assertion('*****@*****.**', issuer='loadtest.local',
exp=in_one_day)
stream += 'WRONG_ISSUER_ASSERTION = "%s"\n' % \
get_assertion('*****@*****.**', exp=in_one_day)
stream += 'WRONG_EMAIL_HOST_ASSERTION = "%s"\n' % \
get_assertion('*****@*****.**', issuer='loadtest.local',
exp=in_one_day)
stream += 'EXPIRED_TOKEN = "%s"\n' % \
get_assertion('*****@*****.**', issuer='loadtest.local',
exp=int(time.time() - 60) * 1000)
return stream
def test_loadtest_mode(self):
worker = get_crypto_worker(CryptoWorker, loadtest_mode=True,
memory_ttl=100)
verifier = PowerHoseVerifier(runner=PurePythonRunner(worker),
audiences=('*',))
result = verifier.verify(get_assertion('*****@*****.**',
issuer='loadtest.local'))
self.assertTrue(result)
def test_loadtest_mode(self):
worker = get_crypto_worker(CryptoWorker,
loadtest_mode=True,
memory_ttl=100)
verifier = PowerHoseVerifier(runner=PurePythonRunner(worker),
audiences=('*', ))
result = verifier.verify(
get_assertion('*****@*****.**', issuer='loadtest.local'))
self.assertTrue(result)
def test_assertion_verification(self):
# giving a valid assertion should return True
worker = CryptoWorker(CERTS_LOCATION)
verifier = PowerHoseVerifier(runner=PurePythonRunner(worker),
audiences=('*',))
self.assertTrue(verifier.verify(get_assertion(DEFAULT_EMAIL)))
# giving a wrong assertion (invalid bundled certificate) raise an
# exception
self.assertRaises(InvalidSignatureError, verifier.verify,
get_assertion(DEFAULT_EMAIL, bad_issuer_cert=True))
self.assertRaises(InvalidSignatureError, verifier.verify,
get_assertion(DEFAULT_EMAIL, bad_email_cert=True))
self.assertRaises(InvalidSignatureError, verifier.verify,
get_assertion(DEFAULT_EMAIL, bad_email_cert=True,
bad_issuer_cert=True))
def test_authentication_failures(self):
# sending a request without any authentication header should result in
# a 401 Unauthorized response.
self.app.get(TOKEN_URI, status=401)
# sending a request with a broken authentication header should return a
# 401 as well
headers = {'Authorization': 'VELOCIRAPTOR'}
self.app.get(TOKEN_URI, headers=headers, status=401)
# the authentication should be browserid
headers = {'Authorization': 'Basic-Auth alexis:alexis'}
res = self.app.get(TOKEN_URI, headers=headers, status=401)
self.assertTrue('WWW-Authenticate' in res.headers)
self.assertEqual(res.headers['WWW-Authenticate'], 'Browser-ID ')
# if the headers are good but the given assertion is not valid, a 401
# should be raised as well.
wrong_assertion = get_assertion(DEFAULT_EMAIL,
bad_issuer_cert=True)
headers = {'Authorization': 'Browser-ID %s' % wrong_assertion}
res = self.app.get(TOKEN_URI, headers=headers, status=401)
# test the different cases of bad assertions.
assertion = get_assertion('*****@*****.**',
bad_issuer_cert=True)
headers = {'Authorization': 'Browser-ID %s' % assertion}
res = self.app.get(TOKEN_URI, headers=headers, status=401)
assertion = get_assertion('*****@*****.**',
issuer='loadtest.local')
res = self.app.get(TOKEN_URI, headers=headers, status=401)
assertion = get_assertion('*****@*****.**',
exp=int(time.time() - 60) * 1000)
res = self.app.get(TOKEN_URI, headers=headers, status=401)
def _test_valid_app(self):
assertion = get_assertion(DEFAULT_EMAIL)
headers = {'Authorization': 'Browser-ID %s' % assertion}
res = self.app.get(TOKEN_URI, headers=headers)
self.assertEqual(res.json['api_endpoint'], DEFAULT_NODE + '/1.0/0')
def _test_valid_app(self):
assertion = get_assertion(DEFAULT_EMAIL)
headers = {'Authorization': 'BrowserID %s' % assertion}
res = self.app.get(TOKEN_URI, headers=headers)
self.assertEqual(res.json['api_endpoint'], DEFAULT_NODE + '/1.0/0')
def _getassertion(self):
email = '*****@*****.**'
return get_assertion(email)
