def test_handle_response_500_mutual_auth_required_fail_no_san( patched_ctx_fail): response_500 = null_response( status=500, headers={ 'date': 'DATE', 'content-length': '100', 'other': 'x' }, ) response_500._content = b'CONTENT' auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED, sanitize_mutual_error_response=False) auth.context = {"www.example.org": "CTX"} flow = auth.handle_response(response_500) with pytest.raises(StopIteration): # advance flow with no new requests next(flow) assert response_500.headers['other'] == 'x' assert response_500.headers['date'] == 'DATE' assert response_500.headers['content-length'] == '100' assert response_500.content == b'CONTENT' assert not fail_resp.called
def test_realm_override(patched_ctx): response = null_response(headers=neg_token) otherhost = "otherhost.otherdomain.org" auth = httpx_gssapi.HTTPKerberosAuth(hostname_override=otherhost) auth.generate_request_header(response.url.host, response) check_init(name=gssapi_name(f"HTTP@{otherhost}")) fake_resp.assert_called_with(b"token")
def test_generate_request_header(patched_ctx): resp = null_response(headers=neg_token) host = resp.url.host auth = httpx_gssapi.HTTPKerberosAuth() assert auth.generate_request_header(host, resp) == b64_negotiate_response check_init() fake_resp.assert_called_with(b"token")
def test_generate_request_header_init_error(patched_ctx_fail): response = null_response(headers=neg_token) host = response.url.host auth = httpx_gssapi.HTTPKerberosAuth() with pytest.raises(httpx_gssapi.exceptions.SPNEGOExchangeError): auth.generate_request_header(host, response) check_init()
def test_no_force_preemptive(patched_ctx): auth = httpx_gssapi.HTTPKerberosAuth() request = null_request() flow = auth.auth_flow(request) next(flow) # Move to first request yield assert 'Authorization' not in request.headers
def test_force_preemptive(patched_ctx): auth = httpx_gssapi.HTTPKerberosAuth(force_preemptive=True) request = null_request() flow = auth.auth_flow(request) next(flow) # Move to first request yield assert 'Authorization' in request.headers assert request.headers.get('Authorization') == b64_negotiate_response
def test_principal_override(patched_ctx, patched_creds): response = null_response(headers=neg_token) auth = httpx_gssapi.HTTPKerberosAuth(principal="user@REALM") auth.generate_request_header(response.url.host, response) fake_creds.assert_called_with( gssapi.creds.Credentials, usage="initiate", name=gssapi_name("user@REALM"), ) check_init(creds=b"fake creds")
def test_authenticate_server(patched_ctx): response_ok = null_response( headers={ 'www-authenticate': b64_negotiate_server, 'authorization': b64_negotiate_response, }) auth = httpx_gssapi.HTTPKerberosAuth() auth.context = {"www.example.org": gssapi.SecurityContext} assert auth.authenticate_server(response_ok) fake_resp.assert_called_with(b"servertoken")
def test_handle_response_200_mutual_auth_optional_soft_failure(patched_ctx): response_ok = null_response() auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=OPTIONAL) auth.context = {"www.example.org": gssapi.SecurityContext} flow = auth.handle_response(response_ok) with pytest.raises(StopIteration): # advance flow with no new requests next(flow) assert not fake_resp.called
def test_handle_response_200_mutual_auth_required_failure(patched_ctx_fail): response_ok = null_response() auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED) auth.context = {"www.example.org": "CTX"} flow = auth.handle_response(response_ok) with pytest.raises(httpx_gssapi.MutualAuthenticationError): next(flow) assert not fail_resp.called
def test_authenticate_user(patched_ctx): response = null_response( status=401, request=null_request(), headers=neg_token, ) auth = httpx_gssapi.HTTPKerberosAuth() request = auth.authenticate_user(response) assert 'Authorization' in request.headers assert request.headers['Authorization'] == b64_negotiate_response check_init() fake_resp.assert_called_with(b"token")
def test_delegation(patched_ctx): auth = httpx_gssapi.HTTPKerberosAuth(delegate=True) response_401 = null_response(status=401, headers=neg_token) flow = auth.handle_response(response_401) request = next(flow) assert isinstance(request, httpx.Request) assert request.headers['Authorization'] == b64_negotiate_response response_ok = null_response(headers=neg_server, request=request) with pytest.raises(StopIteration): # no more requests flow.send(response_ok) check_init(flags=gssdelegflags) fake_resp.assert_called_with(b"token")
def test_handle_other(patched_ctx): response_ok = null_response( headers={ 'www-authenticate': b64_negotiate_server, 'authorization': b64_negotiate_response, }) auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED) auth.context = {"www.example.org": gssapi.SecurityContext} auth.handle_mutual_auth(response_ok) # No error raised fake_resp.assert_called_with(b"servertoken")
def test_handle_response_200(patched_ctx): response_ok = null_response( headers={ 'www-authenticate': b64_negotiate_server, 'authorization': b64_negotiate_response, }) auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=REQUIRED) auth.context = {"www.example.org": gssapi.SecurityContext} flow = auth.handle_response(response_ok) with pytest.raises(StopIteration): # No other requests required next(flow) fake_resp.assert_called_with(b"servertoken")
def test_handle_response_200_mutual_auth_optional_hard_fail(patched_ctx_fail): response_ok = null_response( headers={ 'www-authenticate': b64_negotiate_server, 'authorization': b64_negotiate_response, }) auth = httpx_gssapi.HTTPKerberosAuth(mutual_authentication=OPTIONAL) auth.context = {"www.example.org": gssapi.SecurityContext} flow = auth.handle_response(response_ok) with pytest.raises(httpx_gssapi.MutualAuthenticationError): next(flow) fail_resp.assert_called_with(b"servertoken")
def test_handle_response_401_rejected(patched_ctx): # Get a 401 from server, authenticate, and get another 401 back. # Ensure there is no infinite auth loop. auth = httpx_gssapi.HTTPKerberosAuth() response_401 = null_response(status=401, headers=neg_token) flow = auth.handle_response(response_401) request = next(flow) assert isinstance(request, httpx.Request) assert request.headers['Authorization'] == b64_negotiate_response response_401 = null_response(status=401, headers=neg_token, request=request) request = flow.send(response_401) assert isinstance(request, httpx.Request) assert request.headers['Authorization'] == b64_negotiate_response with pytest.raises(StopIteration): # no more requests, max is 2 flow.send(null_response(status=401, headers=neg_token, request=request)) check_init() fake_resp.assert_called_with(b"token")
def test_generate_request_header_custom_service(patched_ctx): response = null_response(headers=neg_token) auth = httpx_gssapi.HTTPKerberosAuth(service="barfoo") auth.generate_request_header(response.url.host, response), check_init(name=gssapi_name("*****@*****.**")) fake_resp.assert_called_with(b"token")