def createDocumentRoot(self):
docroot = self.mktemp()
os.mkdir(docroot)
userResource = TestDAVPrincipalResource("/principals/users/user01")
userResource.writeDeadProperty(TwistedPasswordProperty("user01"))
principalCollection = TestPrincipalsCollection(
"/principals/",
children={"users": TestPrincipalsCollection(
"/principals/users/",
children={"user01": userResource})})
rootResource = self.resource_class(
docroot, principalCollections=(principalCollection,))
portal = Portal(DavRealm())
portal.registerChecker(TwistedPropertyChecker())
credentialFactories = (basic.BasicCredentialFactory(""),)
loginInterfaces = (IPrincipal,)
self.site = Site(AuthenticationWrapper(
rootResource,
portal,
credentialFactories,
credentialFactories,
loginInterfaces
))
rootResource.setAccessControlList(self.grant(element.All()))
for name, acl in (
("none" , self.grant()),
("read" , self.grant(element.Read())),
("read-write" , self.grant(element.Read(), element.Write())),
("unlock" , self.grant(element.Unlock())),
("all" , self.grant(element.All())),
):
filename = os.path.join(docroot, name)
if not os.path.isfile(filename):
file(filename, "w").close()
resource = self.resource_class(filename)
resource.setAccessControlList(acl)
for name, acl in (
("nobind" , self.grant()),
("bind" , self.grant(element.Bind())),
("unbind" , self.grant(element.Bind(), element.Unbind())),
):
dirname = os.path.join(docroot, name)
if not os.path.isdir(dirname):
os.mkdir(dirname)
resource = self.resource_class(dirname)
resource.setAccessControlList(acl)
return docroot
def test_basicAuthPrevention(self):
"""
Ensure authentication factories which are not safe to use over an
"unencrypted wire" are not advertised when an insecure (i.e. non-SSL
connection is made.
"""
FakeFactory = collections.namedtuple("FakeFactory", ("scheme,"))
wireEncryptedfactories = [FakeFactory("basic"), FakeFactory("digest"), FakeFactory("xyzzy")]
wireUnencryptedfactories = [FakeFactory("digest"), FakeFactory("xyzzy")]
class FakeChannel(object):
def __init__(self, secure):
self.secure = secure
def getHostInfo(self):
return "ignored", self.secure
class FakeRequest(object):
def __init__(self, secure):
self.portal = None
self.loginInterfaces = None
self.credentialFactories = None
self.chanRequest = FakeChannel(secure)
wrapper = AuthenticationWrapper(None, None,
wireEncryptedfactories, wireUnencryptedfactories, None)
req = FakeRequest(True) # Connection is over SSL
wrapper.hook(req)
self.assertEquals(
set(req.credentialFactories.keys()),
set(["basic", "digest", "xyzzy"])
)
req = FakeRequest(False) # Connection is not over SSL
wrapper.hook(req)
self.assertEquals(
set(req.credentialFactories.keys()),
set(["digest", "xyzzy"])
)
def setUp(self):
TestCase.setUp(self)
gooduser = TestDAVPrincipalResource("/users/gooduser")
gooduser.writeDeadProperty(TwistedPasswordProperty("goodpass"))
baduser = TestDAVPrincipalResource("/users/baduser")
baduser.writeDeadProperty(TwistedPasswordProperty("badpass"))
rootresource = TestPrincipalsCollection(
"/", {
"users":
TestResource("/users/", {
"gooduser": gooduser,
"baduser": baduser
})
})
protected = TestResource("/protected",
principalCollections=[rootresource])
protected.setAccessControlList(
davxml.ACL(
davxml.ACE(davxml.Principal(davxml.HRef("/users/gooduser")),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected())))
rootresource.children["protected"] = protected
portal = Portal(DavRealm())
portal.registerChecker(TwistedPropertyChecker())
credentialFactories = (basic.BasicCredentialFactory(""), )
loginInterfaces = (IPrincipal, )
self.rootresource = rootresource
self.site = Site(
AuthenticationWrapper(
self.rootresource,
portal,
credentialFactories,
credentialFactories,
loginInterfaces,
))
def test_basicAuthPrevention(self):
"""
Ensure authentication factories which are not safe to use over an
"unencrypted wire" are not advertised when an insecure (i.e. non-SSL
connection is made.
"""
FakeFactory = collections.namedtuple("FakeFactory", ("scheme,"))
wireEncryptedfactories = [
FakeFactory("basic"),
FakeFactory("digest"),
FakeFactory("xyzzy")
]
wireUnencryptedfactories = [
FakeFactory("digest"), FakeFactory("xyzzy")
]
class FakeChannel(object):
def __init__(self, secure):
self.secure = secure
def getHostInfo(self):
return "ignored", self.secure
class FakeRequest(object):
def __init__(self, secure):
self.portal = None
self.loginInterfaces = None
self.credentialFactories = None
self.chanRequest = FakeChannel(secure)
wrapper = AuthenticationWrapper(None, None, wireEncryptedfactories,
wireUnencryptedfactories, None)
req = FakeRequest(True) # Connection is over SSL
wrapper.hook(req)
self.assertEquals(set(req.credentialFactories.keys()),
set(["basic", "digest", "xyzzy"]))
req = FakeRequest(False) # Connection is not over SSL
wrapper.hook(req)
self.assertEquals(set(req.credentialFactories.keys()),
set(["digest", "xyzzy"]))