def test_passing_filelike_as_request_object(self): req = StringIO.StringIO(TEST_REQ) assert not check_signature(req, TEST_KEY, nonces=False) req = StringIO.StringIO(TEST_REQ) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz req = StringIO.StringIO(TEST_REQ_SIGNED) assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_requests_request_as_request_object(self): req = requests.Request( url="http://example.com/resource/1", method="POST", params=[("b", "1"), ("a", "2")], data="hello world", ) assert not check_signature(req, TEST_KEY, nonces=False) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(req, TEST_KEY, nonces=False)
def test_check_signature_fails_with_reused_nonce(self): # First request with that nonce should succeed. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) sign_request(req, "myid", "mykey") self.assertTrue(check_signature(req, "mykey")) # Second request with that nonce should fail. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) sign_request(req, "myid", "mykey") self.assertFalse(check_signature(req, "mykey")) # But it will succeed if using a different nonce cache. self.assertTrue(check_signature(req, "mykey", nonces=NonceCache()))
def test_check_signature_fails_with_far_future_timestamp(self): req = Request.blank("/") # Do an initial request so that the server can # calculate and cache our clock skew. ts = str(int(time.time())) req.authorization = ("MAC", {"ts": ts}) sign_request(req, "myid", "mykey") self.assertTrue(check_signature(req, "mykey")) # Now do one with a far future timestamp. ts = str(int(time.time() + 1000)) req.authorization = ("MAC", {"ts": ts}) sign_request(req, "myid", "mykey") self.assertFalse(check_signature(req, "mykey"))
def test_passing_environ_dict_as_request_object(self): req = { "wsgi.url_scheme": "http", "REQUEST_METHOD": "POST", "HTTP_HOST": "example.com", "HTTP_CONTENT_LENGTH": "11", "PATH_INFO": "/resource/1", "QUERY_STRING": "b=1&a=2", "wsgi.input": StringIO.StringIO("hello world") } assert not check_signature(req, TEST_KEY, nonces=False) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(req, TEST_KEY, nonces=False)
def _check_signature(self, request, key): """Check the MACAuth signaure on the request. This method checks the MAC signature on the request against the supplied signing key. If missing or invalid then HTTPUnauthorized is raised. """ # See if we've already checked the signature on this request. # This is important because pyramid doesn't cache the results # of authenticating the request, but we mark the nonce as stale # after the first check. if request.environ.get("macauth.signature_is_valid", False): return True # Grab the (hopefully cached) params from the request. params = self._get_params(request) if params is None: msg = "missing MAC signature" raise self.challenge(request, msg) # Validate the signature with the given key. sig_valid = macauthlib.check_signature(request, key, params=params, nonces=self.nonce_cache) if not sig_valid: msg = "invalid MAC signature" raise self.challenge(request, msg) # Mark this request as having a valid signature. request.environ["macauth.signature_is_valid"] = True return True
def test_check_signature_fails_with_busted_signature(self): req = Request.blank("/") sign_request(req, "myid", "mykey") signature = parse_authz_header(req)["mac"] authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace(signature, "XXX" + signature) req.environ["HTTP_AUTHORIZATION"] = authz self.assertFalse(check_signature(req, "mykey"))
def test_passing_webob_request_as_request_object(self): req = webob.Request.from_bytes(TEST_REQ) assert not check_signature(req, TEST_KEY, nonces=False) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(req, TEST_KEY, nonces=False)
def test_check_signature_errors_when_missing_id(self): req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" req = Request.from_bytes(req) req.authorization = ("MAC", {"ts": "1", "nonce": "2"}) self.assertFalse(check_signature(req, "secretkeyohsecretkey"))
def pre_request_hook(req): sign_request(req, TEST_ID, TEST_KEY) assert check_signature(req, TEST_KEY, nonces=False) raise RuntimeError("aborting the request")
def _check_signature(self, request, secret, params=None): """Check the request signature, using our local nonce cache.""" return macauthlib.check_signature(request, secret, params=params, nonces=self.nonce_cache)
def test_check_signature_fails_with_non_mac_scheme(self): req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" req = Request.from_bytes(req) sign_request(req, "myid", "mykey") req.authorization = ("OAuth", req.authorization[1]) self.assertFalse(check_signature(req, "mykey"))
def __call__(self, req): sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert check_signature(req, TEST_KEY, nonces=False) assert TEST_SIG in req.headers['Authorization'] raise RuntimeError("aborting the request")
def test_passing_bytestring_as_request_object(self): assert not check_signature(TEST_REQ, TEST_KEY, nonces=False) authz = sign_request(TEST_REQ, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(TEST_REQ_SIGNED, TEST_KEY, nonces=False)