def create_digest(self, username, api_key, method, uri): """ Creates & returns the HTTP ``Authorization`` header for use with Digest Auth. """ from tastypie.authentication import hmac, sha1, uuid, python_digest new_uuid = uuid.uuid4() opaque = hmac.new( str(new_uuid).encode('utf-8'), digestmod=sha1 ).hexdigest().decode('utf-8') return python_digest.build_authorization_request( username, method.upper(), uri, 1, # nonce_count digest_challenge=python_digest.build_digest_challenge( time.time(), getattr(settings, 'SECRET_KEY', ''), 'django-tastypie', opaque, False ), password=api_key )
def test_whitelisting(self): auth = DigestAuthentication(whitelisted_methods=['a_method']) request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # Calling with a whitelisted method_name without credentials should work self.assertEqual(auth.is_authenticated(request, method_name='a_method'), True) # Calling any other method should require the Api Key self.assertEqual(isinstance(auth.is_authenticated(request, method_name='another_method'), HttpUnauthorized), True) # Correct digest john_doe = User.objects.get(username='******') request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( john_doe.username, request.method, '/', # uri 1, # nonce_count digest_challenge=auth.is_authenticated(request)['WWW-Authenticate'], password=john_doe.api_key.key ) self.assertEqual(auth.is_authenticated(request, method_name="another_method"), True) self.assertEqual(auth.is_authenticated(request, method_name="a_method"), True)
def test_check_active_false(self): auth = DigestAuthentication(require_active=False) request = HttpRequest() bob_doe = User.objects.get(username='******') create_api_key(User, instance=bob_doe, created=True) auth_request = auth.is_authenticated(request) request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( username=bob_doe.username, method=request.method, uri='/', nonce_count=1, digest_challenge=python_digest.parse_digest_challenge(auth_request['WWW-Authenticate']), password=bob_doe.api_key.key ) auth_request = auth.is_authenticated(request) self.assertTrue(auth_request, True)
def test_check_active_true(self): auth = DigestAuthentication() request = HttpRequest() bob_doe = User.objects.get(username='******') create_api_key(User, instance=bob_doe, created=True) auth_request = auth.is_authenticated(request) request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( bob_doe.username, request.method, '/', # uri 1, # nonce_count digest_challenge=auth_request['WWW-Authenticate'], password=bob_doe.api_key.key ) auth_request = auth.is_authenticated(request) self.assertFalse(auth_request)
def test_check_active_true(self): auth = DigestAuthentication() request = HttpRequest() bob_doe = User.objects.get(username="******") create_api_key(User, instance=bob_doe, created=True) auth_request = auth.is_authenticated(request) request.META["HTTP_AUTHORIZATION"] = python_digest.build_authorization_request( username=bob_doe.username, method=request.method, uri="/", nonce_count=1, digest_challenge=python_digest.parse_digest_challenge(auth_request["WWW-Authenticate"]), password=bob_doe.api_key.key, ) auth_request = auth.is_authenticated(request) self.assertFalse(auth_request)
def create_digest(self, username, api_key, method, uri): """ Creates & returns the HTTP ``Authorization`` header for use with Digest Auth. """ from tastypie.authentication import hmac, sha1, uuid, python_digest new_uuid = uuid.uuid4() opaque = hmac.new(str(new_uuid), digestmod=sha1).hexdigest() return python_digest.build_authorization_request( username, method.upper(), uri, 1, # nonce_count digest_challenge=python_digest.build_digest_challenge(time.time(), getattr(settings, 'SECRET_KEY', ''), 'django-tastypie', opaque, False), password=api_key )
def test_check_active_false(self): auth = DigestAuthentication(require_active=False) request = HttpRequest() bob_doe = User.objects.get(username='******') create_api_key(User, instance=bob_doe, created=True) auth_request = auth.is_authenticated(request) request.META[ 'HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( bob_doe.username, request.method, '/', # uri 1, # nonce_count digest_challenge=auth_request['WWW-Authenticate'], password=bob_doe.api_key.key) auth_request = auth.is_authenticated(request) self.assertTrue(auth_request, True)
def test_check_active_true(self): auth = DigestAuthentication() request = HttpRequest() bob_doe = User.objects.get(username='******') create_api_key(User, instance=bob_doe, created=True) auth_request = auth.is_authenticated(request) request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( username=bob_doe.username, method=request.method, uri='/', nonce_count=1, digest_challenge=python_digest.parse_digest_challenge(auth_request['WWW-Authenticate']), password=bob_doe.api_key.key ) auth_request = auth.is_authenticated(request) self.assertFalse(auth_request)
def test_is_authenticated(self): auth = DigestAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # No HTTP Basic auth details should fail. auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # HttpUnauthorized with auth type and realm self.assertEqual(auth_request['WWW-Authenticate'].find('Digest'), 0) self.assertEqual(auth_request['WWW-Authenticate'].find(' realm="django-tastypie"') > 0, True) self.assertEqual(auth_request['WWW-Authenticate'].find(' opaque=') > 0, True) self.assertEqual(auth_request['WWW-Authenticate'].find('nonce=') > 0, True) # Wrong basic auth details. request.META['HTTP_AUTHORIZATION'] = 'abcdefg' auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # No password. request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel'.encode('utf-8')).decode('utf-8') auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # Wrong user/password. request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel:pass'.encode('utf-8')).decode('utf-8') auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # Correct user/password. john_doe = User.objects.get(username='******') request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( username=john_doe.username, method=request.method, uri='/', nonce_count=1, digest_challenge=python_digest.parse_digest_challenge(auth_request['WWW-Authenticate']), password=john_doe.api_key.key ) auth_request = auth.is_authenticated(request) self.assertEqual(auth_request, True)
def test_is_authenticated(self): auth = DigestAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username="******") create_api_key(User, instance=john_doe, created=True) # No HTTP Basic auth details should fail. auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # HttpUnauthorized with auth type and realm self.assertEqual(auth_request["WWW-Authenticate"].find("Digest"), 0) self.assertEqual(auth_request["WWW-Authenticate"].find(' realm="django-tastypie"') > 0, True) self.assertEqual(auth_request["WWW-Authenticate"].find(" opaque=") > 0, True) self.assertEqual(auth_request["WWW-Authenticate"].find("nonce=") > 0, True) # Wrong basic auth details. request.META["HTTP_AUTHORIZATION"] = "abcdefg" auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # No password. request.META["HTTP_AUTHORIZATION"] = base64.b64encode("daniel") auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # Wrong user/password. request.META["HTTP_AUTHORIZATION"] = base64.b64encode("daniel:pass") auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # Correct user/password. john_doe = User.objects.get(username="******") request.META["HTTP_AUTHORIZATION"] = python_digest.build_authorization_request( john_doe.username, request.method, "/", # uri 1, # nonce_count digest_challenge=auth_request["WWW-Authenticate"], password=john_doe.api_key.key, ) auth_request = auth.is_authenticated(request) self.assertEqual(auth_request, True)
def test_is_authenticated(self): auth = DigestAuthentication() request = HttpRequest() # Simulate sending the signal. john_doe = User.objects.get(username='******') create_api_key(User, instance=john_doe, created=True) # No HTTP Basic auth details should fail. auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # HttpUnauthorized with auth type and realm self.assertEqual(auth_request['WWW-Authenticate'].find('Digest'), 0) self.assertEqual(auth_request['WWW-Authenticate'].find(' realm="django-tastypie"') > 0, True) self.assertEqual(auth_request['WWW-Authenticate'].find(' opaque=') > 0, True) self.assertEqual(auth_request['WWW-Authenticate'].find('nonce=') > 0, True) # Wrong basic auth details. request.META['HTTP_AUTHORIZATION'] = 'abcdefg' auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # No password. request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel') auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # Wrong user/password. request.META['HTTP_AUTHORIZATION'] = base64.b64encode('daniel:pass') auth_request = auth.is_authenticated(request) self.assertEqual(isinstance(auth_request, HttpUnauthorized), True) # Correct user/password. john_doe = User.objects.get(username='******') request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( john_doe.username, request.method, '/', # uri 1, # nonce_count digest_challenge=auth_request['WWW-Authenticate'], password=john_doe.api_key.key ) auth_request = auth.is_authenticated(request) self.assertEqual(auth_request, True)
def test_check_active_false(self): if django.VERSION >= (1, 10): # Authenticating inactive users via ModelUserBackend not supported for Django >= 1.10" return auth = DigestAuthentication(require_active=False) request = HttpRequest() bob_doe = User.objects.get(username='******') create_api_key(User, instance=bob_doe, created=True) auth_request = auth.is_authenticated(request) request.META['HTTP_AUTHORIZATION'] = python_digest.build_authorization_request( bob_doe.username, request.method, '/', # uri 1, # nonce_count digest_challenge=auth_request['WWW-Authenticate'], password=bob_doe.api_key.key ) auth_request = auth.is_authenticated(request) self.assertTrue(auth_request, True)