def test_replace_username_token_elem_missing_type():
""" Tests whether the expected exception is being raized while replacing
the username token which doesn't have the 'Type' attribute.
"""
wsse = WSSE()
soap = etree.fromstring(get_data(True))
# _replace_username_token_elem
# Scenario 1) Everything goes well, SOAP's correct and contains the expected
# element.
wsse_password = wsse_password_xpath(soap)
old_elem, attr = wsse._replace_username_token_elem(soap, wsse_password,
'Type')
eq_(old_elem, raw_password)
# Scenario 2) SOAP message doesn't have the expected element.
soap_invalid = etree.fromstring(get_data(False))
foobar = etree.XPath('//foo')(soap_invalid)
try:
wsse._replace_username_token_elem(soap_invalid, foobar, 'bar')
except SecurityException, e:
eq_(
e.description,
"Element [/soapenv:Envelope/soapenv:Header/wsse:Security/wsse:UsernameToken] doesn't exist"
)
def test_nonce_default_unique():
""" By default every nonce is considered to be unique and wsse.check_nonce
should always return False, regardless of the input data.
"""
wsse = WSSE()
dummy1, dummy, dummy3 = range(3)
eq_(wsse.check_nonce(dummy1, dummy, dummy3), False)
def test_nonce_default_unique():
""" By default every nonce is considered to be unique and wsse.check_nonce
should always return False, regardless of the input data.
"""
wsse = WSSE()
dummy1, dummy, dummy3 = range(3)
eq_(wsse.check_nonce(dummy1, dummy, dummy3), False)
def test_replace_username_token_elem_ok():
""" Tests whether replacing the username token works fine.
"""
wsse = WSSE()
soap = etree.fromstring(get_data())
wsse_password = wsse_password_xpath(soap)
old_elem, attr = wsse._replace_username_token_elem(soap, wsse_password, 'Type')
eq_(old_elem, raw_password)
def test_get_digest():
""" Checks whether computing the digest works fine.
"""
wsse = WSSE()
# _get_digest
nonce = 'NTA5OTA3YTk4Zjk5NGVhYWJhNTZkMTVkZGIzZjM2NzY=\n'
digest = wsse._get_digest(raw_password, nonce, '2010-12-03T20:13:10.602Z')
eq_(digest, 'OGhlMsnX6G7l859oktI6dUBfSjs=')
def test_get_digest():
""" Checks whether computing the digest works fine.
"""
wsse = WSSE()
# _get_digest
nonce = 'NTA5OTA3YTk4Zjk5NGVhYWJhNTZkMTVkZGIzZjM2NzY=\n'
digest = wsse._get_digest(raw_password, nonce, '2010-12-03T20:13:10.602Z')
eq_(digest, 'OGhlMsnX6G7l859oktI6dUBfSjs=')
def test_validate_password_digest_ok():
""" Successfully validates a message whose password is of type PasswordDigest.
"""
soap = etree.fromstring(get_data(password_digest=True))
config = copy.deepcopy(base_config)
config['wsse-pwd-password-digest'] = True
wsse = WSSE()
return_value = wsse.validate(soap, config)
eq_(return_value, (True, 'foo'))
def test_replace_username_token_elem_ok():
""" Tests whether replacing the username token works fine.
"""
wsse = WSSE()
soap = etree.fromstring(get_data())
wsse_password = wsse_password_xpath(soap)
old_elem, attr = wsse._replace_username_token_elem(soap, wsse_password,
'Type')
eq_(old_elem, raw_password)
def test_validate_password_digest_ok():
""" Successfully validates a message whose password is of type PasswordDigest.
"""
soap = etree.fromstring(get_data(password_digest=True))
config = copy.deepcopy(base_config)
config['wsse-pwd-password-digest'] = True
wsse = WSSE()
return_value = wsse.validate(soap, config)
eq_(return_value, (True, 'foo'))
def test_error():
""" Checks whether raising exceptions works fine.
"""
wsse = WSSE()
description = uuid4().hex
elem = '/foo/bar/baz'
try:
wsse.error(description)
except SecurityException, e:
eq_(e.description, description)
def test_error():
""" Checks whether raising exceptions works fine.
"""
wsse = WSSE()
description = uuid4().hex
elem = '/foo/bar/baz'
try:
wsse.error(description)
except SecurityException, e:
eq_(e.description, description)
def test_reject_expiry_limit():
""" Tests whether expired messages are being rejected on validation.
"""
soap = etree.fromstring(get_data())
config = copy.deepcopy(base_config)
config['wsse-pwd-reject-expiry-limit'] = 0.001
# Make sure the message expires.
time.sleep(1)
wsse = WSSE()
try:
wsse.validate(soap, config)
except SecurityException, e:
eq_(e.description, 'UsernameToken has expired')
def test_reject_expiry_limit():
""" Tests whether expired messages are being rejected on validation.
"""
soap = etree.fromstring(get_data())
config = copy.deepcopy(base_config)
config['wsse-pwd-reject-expiry-limit'] = 0.001
# Make sure the message expires.
time.sleep(1)
wsse = WSSE()
try:
wsse.validate(soap, config)
except SecurityException, e:
eq_(e.description, 'UsernameToken has expired')
def test_replace_username_token_elem_missing_type():
""" Tests whether the expected exception is being raized while replacing
the username token which doesn't have the 'Type' attribute.
"""
wsse = WSSE()
soap = etree.fromstring(get_data(True))
# _replace_username_token_elem
# Scenario 1) Everything goes well, SOAP's correct and contains the expected
# element.
wsse_password = wsse_password_xpath(soap)
old_elem, attr = wsse._replace_username_token_elem(soap, wsse_password, 'Type')
eq_(old_elem, raw_password)
# Scenario 2) SOAP message doesn't have the expected element.
soap_invalid = etree.fromstring(get_data(False))
foobar = etree.XPath('//foo')(soap_invalid)
try:
wsse._replace_username_token_elem(soap_invalid, foobar, 'bar')
except SecurityException, e:
eq_(e.description, "Element [/soapenv:Envelope/soapenv:Header/wsse:Security/wsse:UsernameToken] doesn't exist")
def test_validate_invalid_input():
""" Tests whether validating with invalid input data raises expected
exceptions.
"""
wsse = WSSE()
soap = etree.fromstring(get_data())
def _check_validate(data, expected):
config = copy.deepcopy(base_config)
soap = etree.fromstring(data)
try:
wsse.validate(soap, config)
except SecurityException, e:
eq_(e.description, expected)
else:
def test_invalid_input():
""" Tests whether correct exceptions are being raised on invalid input.
"""
wsse = WSSE()
# a list of [method, how_many_param_sit_needs, description] elements
test_data = [
[wsse.on_invalid_username, 3, 'Invalid username or password'],
[wsse.on_invalid_password, 4, 'Invalid username or password'],
[wsse.on_username_token_expired, 3, 'UsernameToken has expired'],
[wsse.on_nonce_non_unique, 4, 'Nonce [1] is not unique'],
]
for meth, params_count, description in test_data:
try:
params = range(params_count)
meth(*params)
except SecurityException, e:
eq_(e.description, description)
else:
msg = 'A SecurityException was expected here, meth={0}'.format(
meth)
raise Exception(msg)
def get_data(header=True, username=True, nonce=True, created=True,
password_digest=False, valid_password=True, valid_username=True,
send_password_type=True, supported_password_type=True):
if header:
wsse_username = '******'
wsse_password = '******'
wsu_created = '<wsu:Created>{0}</wsu:Created>'
wsse_nonce = '<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">{0}</wsse:Nonce>'
if username:
if valid_username:
username = wsse_username.format(raw_username)
else:
username = wsse_username.format(uuid4().hex)
else:
username = ''
if nonce:
nonce_value = uuid4().hex.encode('base64')
nonce = wsse_nonce.format(nonce_value)
else:
nonce = ''
if created:
created_value = time.strftime('%Y-%m-%dT%H:%M:%S', time.gmtime())
created_value += '.000Z'
created = wsu_created.format(created_value)
else:
created = ''
created_value = ''
if password_digest:
if send_password_type:
if supported_password_type:
password_type = wsse_password_type_digest
else:
password_type = 'abcdef'
else:
password_type = ''
wsse = WSSE()
if valid_password:
password_value = wsse._get_digest(raw_password, nonce_value, created_value)
else:
password_value = wsse._get_digest(uuid4().hex, nonce_value, created_value)
else:
if send_password_type:
if supported_password_type:
password_type = wsse_password_type_text
else:
password_type = 'abcdef'
else:
password_type = ''
if valid_password:
password_value = raw_password
else:
password_value = uuid4().hex
password = wsse_password.format(password_type=password_type, password_value=password_value)
return """
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
{username}
{password}
{created}
{nonce}
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<foo>
<bar>123</bar>
</foo>
</soapenv:Body>
</soapenv:Envelope>""".format(username=username, password=password,
created=created, nonce=nonce)
else:
return """
def get_data(header=True,
username=True,
nonce=True,
created=True,
password_digest=False,
valid_password=True,
valid_username=True,
send_password_type=True,
supported_password_type=True):
if header:
wsse_username = '******'
wsse_password = '******'
wsu_created = '<wsu:Created>{0}</wsu:Created>'
wsse_nonce = '<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">{0}</wsse:Nonce>'
if username:
if valid_username:
username = wsse_username.format(raw_username)
else:
username = wsse_username.format(uuid4().hex)
else:
username = ''
if nonce:
nonce_value = uuid4().hex.encode('base64')
nonce = wsse_nonce.format(nonce_value)
else:
nonce = ''
if created:
created_value = time.strftime('%Y-%m-%dT%H:%M:%S', time.gmtime())
created_value += '.000Z'
created = wsu_created.format(created_value)
else:
created = ''
created_value = ''
if password_digest:
if send_password_type:
if supported_password_type:
password_type = wsse_password_type_digest
else:
password_type = 'abcdef'
else:
password_type = ''
wsse = WSSE()
if valid_password:
password_value = wsse._get_digest(raw_password, nonce_value,
created_value)
else:
password_value = wsse._get_digest(uuid4().hex, nonce_value,
created_value)
else:
if send_password_type:
if supported_password_type:
password_type = wsse_password_type_text
else:
password_type = 'abcdef'
else:
password_type = ''
if valid_password:
password_value = raw_password
else:
password_value = uuid4().hex
password = wsse_password.format(password_type=password_type,
password_value=password_value)
return """
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
{username}
{password}
{created}
{nonce}
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<foo>
<bar>123</bar>
</foo>
</soapenv:Body>
</soapenv:Envelope>""".format(username=username,
password=password,
created=created,
nonce=nonce)
else:
return """
