def test_authentication_roundtrip_mitm2(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret", DummyKeyProvider(),
"another.server")
try:
auth_server_b.create_token(response)
self.fail("should have thrown exception")
except exceptions.InvalidInputException:
pass
def test_create_token_too_old(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
auth_server_b = server.AuthServer("server_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() + 1000)
try:
auth_server_b.create_token(response)
self.fail("Should have issued InvalidInputException, "
"challenge too old")
except exceptions.InvalidInputException:
pass
def test_create_challenge_no_legacy_support(self):
auth_server = server.AuthServer("secret",
DummyKeyProvider(),
"server.name",
lowest_supported_version=1)
self.assertRaises(exceptions.ProtocolVersionError,
auth_server.create_challenge, "noa")
def test_create_token_invalid_duration(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
token = auth_server._make_token("some_user", int(time.time()) + 3600)
self.assertRaises(exceptions.InvalidInputException,
auth_server.validate_token, token)
def test_validate_token_wrong_secret(self):
token = "dgAAAJgtmNoqST9RaxayI7UP5-GLviUDAAAAFHQAAABUJYr_VCWLPQAAAAR0ZXN0"
auth_server = server.AuthServer("server_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: 1411746561.058992)
auth_server.validate_token(token)
auth_server = server.AuthServer("wrong_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: 1411746561.058992)
try:
auth_server.validate_token(token)
self.fail("Should have gotten InvalidInputException")
except exceptions.InvalidInputException:
pass
def test_validate_token_too_new(self):
auth_server_a = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server_a.create_challenge("test")
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server_a.create_token(response)
auth_server_b = server.AuthServer("server_secret",
DummyKeyProvider(),
"server.name",
now_func=lambda: time.time() - 1000)
try:
auth_server_b.validate_token(token)
self.fail("Should have issued TokenExpiredException, "
"token too new")
except exceptions.TokenExpiredException:
pass
def test_authentication_roundtrip_v1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test", 1)
response = create_response(challenge, "server.name",
ssh.SingleKeySigner(test_priv_key))
token = auth_server.create_token(response)
self.assertTrue(auth_server.validate_token(token))
def test_create_challenge_v1(self):
auth_server = server.AuthServer("secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("noa", 1)
cb = ssh.base64url_decode(challenge)
decoded_challenge = msgpack_protocol.Challenge.deserialize(cb)
self.assertEquals("\xfb\xa1\xeao\xd3y", decoded_challenge.fingerprint)
def test_create_token_invalid_input(self):
auth_server = server.AuthServer("gurka", DummyKeyProvider(),
"server.name")
for t in ("2tYneWsOm88qu_Trzahw2r6ZLg37oepv03mykGS-HdcnWJLuUMDOmfVI"
"Wl5n3U6qt6Fub2E", "random"):
try:
auth_server.create_token(t)
self.fail("Input is invalid, should have thrown exception")
except exceptions.ProtocolError:
pass
def test_authentication_roundtrip_mitm1(self):
auth_server = server.AuthServer("server_secret", DummyKeyProvider(),
"server.name")
challenge = auth_server.create_challenge("test")
try:
create_response(challenge, "another.server",
ssh.SingleKeySigner(test_priv_key))
self.fail("Should have gotten InvalidInputException")
except exceptions.InvalidInputException:
pass
def test_create_challenge(self):
auth_server = server.AuthServer("gurka", DummyKeyProvider(),
"server.name")
s = auth_server.create_challenge("noa")
cb = ssh.base64url_decode(s)
verifiable_payload = protocol.VerifiablePayload.deserialize(cb)
challenge = protocol.Challenge.deserialize(verifiable_payload.payload)
self.assertEquals("\xfb\xa1\xeao\xd3y", challenge.fingerprint)
def main():
setup_logging()
parser = argparse.ArgumentParser('drserv-server',
description='The drserv service')
parser.add_argument('--config',
action='store',
default='/etc/drserv.yml',
help='the config file')
config = read_config(parser.parse_args().config)
auth_server = server.AuthServer(config['crtauth_secret'],
key_provider.FileKeyProvider(
config['keys_dir']),
config['service_name'],
lowest_supported_version=1)
DrservServer(config['listen_port'], config['target_basedir'],
config['index_command'], auth_server).serve_forever()
