def _test_hmac_auth(self, mod_name, password, **kwargs):
for test_password in (password, "somethingelse"):
a = self._init_auth(mod_name, **kwargs)
assert a.requires_challenge()
assert a.get_password()
salt, mac = a.get_challenge(
[x for x in get_digests() if x.startswith("hmac")])
assert salt
assert mac.startswith("hmac"), "invalid mac: %s" % mac
client_salt = strtobytes(uuid.uuid4().hex + uuid.uuid4().hex)
salt_digest = a.choose_salt_digest(get_digests())
auth_salt = strtobytes(gendigest(salt_digest, client_salt, salt))
digestmod = get_digest_module(mac)
verify = hmac.HMAC(strtobytes(test_password),
auth_salt,
digestmod=digestmod).hexdigest()
passed = a.authenticate(verify, client_salt)
assert passed == (
test_password == password
), "expected authentication to %s with %s vs %s" % ([
"fail", "succeed"
][test_password == password], test_password, password)
assert not a.authenticate(
verify, client_salt
), "should not be able to athenticate again with the same values"
def test_allow(self):
a = self._init_auth("allow")
assert a.requires_challenge()
assert a.get_challenge(get_digests())
assert not a.get_password()
for x in (None, "bar"):
assert a.authenticate(x, "")
assert a.authenticate("", x)
def test_reject(self):
a = self._init_auth("reject")
assert a.requires_challenge()
c, mac = a.get_challenge(get_digests())
assert c and mac
assert not a.get_sessions()
assert not a.get_password()
for x in (None, "bar"):
assert not a.authenticate(x, c)
assert not a.authenticate(x, x)
def _test_module(self, module):
a = self._init_auth(module)
assert a
if a.requires_challenge():
challenge = a.get_challenge(get_digests())
assert challenge
a = self._init_auth(module)
assert a
if a.requires_challenge():
try:
challenge = a.get_challenge(["invalid-digest"])
except Exception:
pass
else:
assert challenge is None
def _test_file_auth(self, mod_name, genauthdata):
#no file, no go:
a = self._init_auth(mod_name)
assert a.requires_challenge()
p = a.get_password()
assert not p, "got a password from %s: %s" % (a, p)
#challenge twice is a fail
assert a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
for muck in (0, 1):
if WIN32:
#NamedTemporaryFile doesn't work for reading on win32...
import time
filename = os.path.join(os.environ.get("TEMP", "/tmp"),
"file-auth-test-%s" % time.time())
f = open(filename, 'wb')
else:
f = tempfile.NamedTemporaryFile(prefix=mod_name)
filename = f.name
try:
with f:
a = self._init_auth(mod_name, {"password_file": filename})
password, filedata = genauthdata(a)
#print("saving password file data='%s' to '%s'" % (filedata, filename))
f.write(strtobytes(filedata))
f.flush()
assert a.requires_challenge()
salt, mac = a.get_challenge(get_digests())
assert salt
assert mac in get_digests()
assert mac != "xor"
password = strtobytes(password)
client_salt = strtobytes(uuid.uuid4().hex +
uuid.uuid4().hex)[:len(salt)]
salt_digest = a.choose_salt_digest(get_digests())
assert salt_digest
auth_salt = strtobytes(
gendigest(salt_digest, client_salt, salt))
if muck == 0:
digestmod = get_digest_module(mac)
verify = hmac.HMAC(password,
auth_salt,
digestmod=digestmod).hexdigest()
assert a.authenticate(verify, client_salt)
assert not a.authenticate(verify, client_salt)
assert a.get_password() == password
elif muck == 1:
for verify in ("whatever", None, "bad"):
assert not a.authenticate(verify, client_salt)
finally:
if WIN32:
os.unlink(filename)
def _test_file_auth(self, mod_name, genauthdata):
#no file, no go:
a = self._init_auth(mod_name)
assert a.requires_challenge()
p = a.get_password()
assert not p, "got a password from %s: %s" % (a, p)
#challenge twice is a fail
assert a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
assert not a.get_challenge(get_digests())
for muck in (0, 1):
with TempFileContext(prefix=mod_name) as context:
f = context.file
filename = context.filename
with f:
a = self._init_auth(mod_name, {"password_file": filename})
password, filedata = genauthdata(a)
#print("saving password file data='%s' to '%s'" % (filedata, filename))
f.write(strtobytes(filedata))
f.flush()
assert a.requires_challenge()
salt, mac = a.get_challenge(get_digests())
assert salt
assert mac in get_digests()
assert mac != "xor"
password = strtobytes(password)
client_salt = strtobytes(uuid.uuid4().hex +
uuid.uuid4().hex)[:len(salt)]
salt_digest = a.choose_salt_digest(get_digests())
assert salt_digest
auth_salt = strtobytes(
gendigest(salt_digest, client_salt, salt))
if muck == 0:
digestmod = get_digest_module(mac)
verify = hmac.HMAC(password,
auth_salt,
digestmod=digestmod).hexdigest()
assert a.authenticate(verify, client_salt)
assert not a.authenticate(verify, client_salt)
assert a.get_password() == password
elif muck == 1:
for verify in ("whatever", None, "bad"):
assert not a.authenticate(verify, client_salt)