def test_authentication_roundtrip_mitm1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test")
try:
create_response(challenge, "another.server",
ssh.SingleKeySigner(test_priv_key))
self.fail("Should have gotten InvalidInputException")
except exceptions.InvalidInputException:
pass
def test_authentication_roundtrip_mitm1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test")
try:
create_response(challenge, "another.server",
ssh.SingleKeySigner(test_priv_key))
self.fail("Should have gotten InvalidInputException")
except exceptions.InvalidInputException:
pass
def test_authentication_roundtrip_v1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test", 1)
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server.create_token(response)
self.assertTrue(auth_server.validate_token(token))
def test_authentication_roundtrip_v1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test", 1)
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server.create_token(response)
self.assertTrue(auth_server.validate_token(token))
def test_authentication_roundtrip_mitm2(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret", DummyKeyProvider(),
"another.server")
try:
auth_server_b.create_token(response)
self.fail("should have thrown exception")
except exceptions.InvalidInputException:
pass
def test_authentication_roundtrip_mitm2(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret", DummyKeyProvider(),
"another.server")
try:
auth_server_b.create_token(response)
self.fail("should have thrown exception")
except exceptions.InvalidInputException:
pass
def test_create_token_too_old(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() + 1000)
try:
auth_server_b.create_token(response)
self.fail("Should have issued InvalidInputException, "
"challenge too old")
except exceptions.InvalidInputException:
pass
def test_validate_token_too_new(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server_a.create_token(response)
auth_server_b = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() - 1000)
try:
auth_server_b.validate_token(token)
self.fail("Should have issued TokenExpiredException, "
"token too new")
except exceptions.TokenExpiredException:
pass
def _authenticate(base_url, username, private_key_filename):
try:
with open(private_key_filename) as f:
signer = ssh.SingleKeySigner(f.read())
except:
sys.stderr.write("ERROR: Key file must be a passphraseless private key " "generated by ssh-keygen")
sys.exit(1)
challenge = _auth_get(base_url, "request:%s" % client.create_request(username))
hostname = urlparse.urlparse(base_url).netloc
if hostname.index(":") != -1:
# netloc might contain port information as well
hostname = hostname[: hostname.index(":")]
response = client.create_response(challenge, hostname, signer)
return _auth_get(base_url, "response:" + response)
def test_create_token_too_old(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() + 1000)
try:
auth_server_b.create_token(response)
self.fail("Should have issued InvalidInputException, "
"challenge too old")
except exceptions.InvalidInputException:
pass
def test_validate_token_too_new(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server_a.create_token(response)
auth_server_b = server.AuthServer("server_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() - 1000)
try:
auth_server_b.validate_token(token)
self.fail("Should have issued TokenExpiredException, "
"token too new")
except exceptions.TokenExpiredException:
pass
def _authenticate(base_url, username, private_key_filename):
try:
with open(private_key_filename) as f:
signer = ssh.SingleKeySigner(f.read())
except:
sys.stderr.write(
'ERROR: Key file must be a passphraseless private key '
'generated by ssh-keygen')
sys.exit(1)
challenge = _auth_get(base_url,
'request:%s' % client.create_request(username))
hostname = urlparse.urlparse(base_url).netloc
if hostname.index(':') != -1:
# netloc might contain port information as well
hostname = hostname[:hostname.index(':')]
response = client.create_response(challenge, hostname, signer)
return _auth_get(base_url, 'response:' + response)
def _challenge_response(self, response, **kwargs):
"""Extracts a CHAP challenge from response headers and forms a response.
Args:
response: An instance of requests.Response() with the
'X-CHAP:challenge' header.
**kwargs: Keyword arguments to pass with subsequent requests.
Returns:
An instance of requests.Response() with the appropriate
'X-CHAP:token' header.
Raises:
HttpCrtAuthError: When the X-CHAP:challenge header is missing.
"""
if response.status_code / 400 == 1:
raise HttpCrtAuthError(
('%s response in challenge reply. '
'(Is the server aware of your username or key?)') %
response.status_code)
if 'X-CHAP' not in response.headers:
raise HttpCrtAuthError('Missing CHAP headers in challenge reply.')
chap_type, chap_challenge = _parse_chap_header(response.headers)
if chap_type != 'challenge':
raise HttpCrtAuthError('Missing CHAP challenge in challenge reply.')
logging.debug('Sending response to challenge %s', chap_challenge)
request = _consume_response(response)
challenge_response = crtauth_client.create_response(
chap_challenge,
_crtauth_server_name(request.url),
self.signer)
request.headers['X-CHAP'] = 'response:%s' % challenge_response
token_reply = response.connection.send(request, **kwargs)
token_reply.history.append(response)
return token_reply