def test_authenticate_nonce(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') otheruser = User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() with self.mocker: self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials( first_request )) with transaction.commit_on_success(): self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request))
def test_authenticate_nonce(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() with self.mocker: self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials( first_request )) with transaction.commit_on_success(): self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request))
def __call__(self, request): authenticator = HttpDigestAuthenticator() if (not authenticator.authenticate(request) and (get_setting("DIGEST_REQUIRE_AUTHENTICATION", False) or authenticator.contains_digest_credentials(request))): return authenticator.build_challenge_response() response = self.get_response(request) if response.status_code == 401: return authenticator.build_challenge_response() return response
def test_authenticate_nonce(self): testuser = User.objects.create_user(username='******', email='*****@*****.**', password='******') User.objects.create_user(username='******', email='*****@*****.**', password='******') nonce = python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() assert 'HTTP_AUTHORIZATION' in first_request.META assert python_digest.is_digest_credential( first_request.META['HTTP_AUTHORIZATION']) self.assertTrue( HttpDigestAuthenticator.contains_digest_credentials(first_request)) transaction.set_autocommit(False) self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request)) transaction.commit() transaction.set_autocommit(True)
def test_authenticate_nonce(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser authenticator = HttpDigestAuthenticator() assert 'HTTP_AUTHORIZATION' in first_request.META assert python_digest.is_digest_credential(first_request.META['HTTP_AUTHORIZATION']) self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials( first_request )) transaction.set_autocommit(False) self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) transaction.rollback() self.assertTrue(authenticator.authenticate(third_request)) transaction.commit() transaction.set_autocommit(True)
def test_authenticate(self): testuser = User.objects.create_user( username='******', email='*****@*****.**', password='******') otheruser = User.objects.create_user( username='******', email='*****@*****.**', password='******') nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY) first_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) first_request.user = testuser # same nonce, same nonce count, will fail second_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce) # same nonce, new nonce count, it works third_request = self.create_mock_request(username=testuser.username, password='******', nonce=nonce, nonce_count=2) third_request.user = testuser # an invalid request fourth_request = self.create_mock_request_for_header( 'Digest blah blah blah') # an invalid request fifth_request = self.create_mock_request_for_header(None) # an invalid nonce sixth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=1, nonce=python_digest.calculate_nonce(time.time(), secret='bad secret')) # an invalid request digest (wrong password) seventh_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) # attack attempts / failures don't invalidate the session or increment nonce_cont eighth_request = self.create_mock_request( username=testuser.username, password='******', nonce=nonce, nonce_count=3) eighth_request.user = testuser # mismatched URI ninth_request = self.create_mock_request( username=testuser.username, nonce=nonce, password='******', nonce_count=4, request_path='/different/path') # stale nonce tenth_request = self.create_mock_request( username=testuser.username, password='******', nonce_count=4, nonce=python_digest.calculate_nonce( time.time()-60000, secret=settings.SECRET_KEY)) # once the nonce is used by one user, can't be reused by another eleventh_request = self.create_mock_request( username=otheruser.username, password='******', nonce=nonce, nonce_count=4) # if the partial digest is not in the DB, authentication fails twelfth_request = self.create_mock_request(username=testuser.username, password='******', nonce_count=3) # a request for Basic auth thirteenth_request = self.create_mock_request_for_header( 'Basic YmxhaDpibGFo') authenticator = HttpDigestAuthenticator() with self.mocker: self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(first_request)) self.assertTrue(authenticator.authenticate(first_request)) self.assertFalse(authenticator.authenticate(second_request)) self.assertTrue(authenticator.authenticate(third_request)) self.assertFalse(authenticator.authenticate(fourth_request)) self.assertFalse(authenticator.authenticate(fifth_request)) self.assertFalse(authenticator.authenticate(sixth_request)) self.assertFalse(authenticator.authenticate(seventh_request)) self.assertTrue(authenticator.authenticate(eighth_request)) self.assertFalse(authenticator.authenticate(ninth_request)) self.assertFalse(authenticator.authenticate(tenth_request)) self.assertFalse(authenticator.authenticate(eleventh_request)) PartialDigest.objects.all().delete() self.assertFalse(authenticator.authenticate(twelfth_request)) self.assertFalse(authenticator.authenticate(thirteenth_request))