def test_authentication_roundtrip_v1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test", 1)
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server.create_token(response)
self.assertTrue(auth_server.validate_token(token))
def test_authentication_roundtrip_mitm1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test")
try:
create_response(challenge, "another.server",
ssh.SingleKeySigner(test_priv_key))
self.fail("Should have gotten InvalidInputException")
except exceptions.InvalidInputException:
pass
def test_authentication_roundtrip_mitm2(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret", DummyKeyProvider(),
"another.server")
try:
auth_server_b.create_token(response)
self.fail("should have thrown exception")
except exceptions.InvalidInputException:
pass
def test_create_token_too_old(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() + 1000)
try:
auth_server_b.create_token(response)
self.fail("Should have issued InvalidInputException, "
"challenge too old")
except exceptions.InvalidInputException:
pass
def test_validate_token_too_new(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server_a.create_token(response)
auth_server_b = server.AuthServer("server_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() - 1000)
try:
auth_server_b.validate_token(token)
self.fail("Should have issued TokenExpiredException, "
"token too new")
except exceptions.TokenExpiredException:
pass
def __init__(self, username=None, private_key=None, signer=None, version=1):
"""HTTP crtauth authentication using the requests library.
Args:
username: User to authenticate as. Defaults to $USER.
private_key: A PEM encoded private key string. Overrides signer.
signer: A crtauth SigningPlug instance. Defaults to using the
SSH agent (AgentSigner).
version: Integer version of the crtauth protocol.
"""
self.username = username or os.environ.get('USER')
if private_key:
self.signer = crtauth_ssh.SingleKeySigner(private_key)
else:
self.signer = signer
self.chap_token = None
self.version = version
def _authenticate(base_url, username, private_key_filename):
try:
with open(private_key_filename) as f:
signer = ssh.SingleKeySigner(f.read())
except:
sys.stderr.write(
'ERROR: Key file must be a passphraseless private key '
'generated by ssh-keygen')
sys.exit(1)
challenge = _auth_get(base_url,
'request:%s' % client.create_request(username))
hostname = urlparse.urlparse(base_url).netloc
if hostname.index(':') != -1:
# netloc might contain port information as well
hostname = hostname[:hostname.index(':')]
response = client.create_response(challenge, hostname, signer)
return _auth_get(base_url, 'response:' + response)