def send_job(repo, server, cycles="", duration="", nodes="", redirect_url=""): mac_user = os.environ.get("MACAUTH_USER") mac_secret = os.environ.get("MACAUTH_SECRET") request = Request.blank(server.rstrip("/") + "/test") request.method = "POST" params = { "repo": repo, "cycles": cycles, "duration": duration, "nodes": nodes, "redirect_url": redirect_url, "api_call": 1, } request.body = urllib.urlencode(params) request.environ["CONTENT_TYPE"] = "application/x-www-form-urlencoded" if mac_user is not None: tokenid = tokenlib.make_token({"user": mac_user}, secret=mac_secret) key = tokenlib.get_token_secret(tokenid, secret=mac_secret) sign_request(request, tokenid, key) resp = request.get_response(proxy_exact_request) if resp.status_int == 401: raise ValueError("Authorization Failed!") job_id = resp.json["job_id"] return server.rstrip("/") + "/test/" + job_id
def send_job(repo, server, cycles='', duration='', nodes='', redirect_url=''): mac_user = os.environ.get('MACAUTH_USER') mac_secret = os.environ.get('MACAUTH_SECRET') request = Request.blank(server.rstrip('/') + '/test') request.method = 'POST' params = { 'repo': repo, 'cycles': cycles, 'duration': duration, 'nodes': nodes, 'redirect_url': redirect_url, 'api_call': 1 } request.body = urllib.urlencode(params) request.environ['CONTENT_TYPE'] = 'application/x-www-form-urlencoded' if mac_user is not None: tokenid = tokenlib.make_token({"user": mac_user}, secret=mac_secret) key = tokenlib.get_token_secret(tokenid, secret=mac_secret) sign_request(request, tokenid, key) resp = request.get_response(proxy_exact_request) if resp.status_int == 401: raise ValueError("Authorization Failed!") job_id = resp.json['job_id'] return server.rstrip('/') + '/test/' + job_id
def _browse(self, url_in, params_in=None, description=None, ok_codes=None, method='post', *args, **kwds): # Automatically add a fresh MACAuth header to the request. if self.auth_token is not None: req = Request.blank(url_in) req.method = method.upper() if params_in and req.method in ( "GET", "HEAD", ): qs_items = ("%s=%s" % item for item in params_in.iteritems()) req.query_string = "&".join(qs_items) macauthlib.sign_request(req, self.auth_token, self.auth_secret) self.setHeader("Authorization", req.environ["HTTP_AUTHORIZATION"]) # Log the start and end of the request, for debugging purposes. args = (url_in, params_in, description, ok_codes, method) + args self.logi("%s: %s" % (method.upper(), url_in)) try: result = super(StressTest, self)._browse(*args, **kwds) except Exception, e: self.logi(" FAIL: " + url_in + " " + repr(e)) raise
def setMACAuthHeader(self, method, url, token, secret): """Set the Sagrada MAC Auth header using the given credentials.""" req = Request.blank(url) req.method = method macauthlib.sign_request(req, token, secret) self.clearHeaders() self.addHeader("Authorization", req.environ["HTTP_AUTHORIZATION"])
def _authHook(self,req): # This method will be used as a "pre-request hook" for the requests session. # It does MAC Authentication using the macauthlib library. # It will hook up sign_request() to be called on every request # using the current value of self.mac_key_id and self.mac_key macauthlib.sign_request(req, id=self.mac_key_id, key=self.mac_key, hashmod=hashlib.sha256) return req
def test_authentication_without_nonce_fails(self): creds = self._get_credentials(username="******") req = Request.blank("/") macauthlib.sign_request(req, **creds) authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace("nonce", "typonce") req.environ["HTTP_AUTHORIZATION"] = authz self.app.request(req, status=401)
def test_check_signature_fails_with_busted_signature(self): req = Request.blank("/") sign_request(req, "myid", "mykey") signature = parse_authz_header(req)["mac"] authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace(signature, "XXX" + signature) req.environ["HTTP_AUTHORIZATION"] = authz self.assertFalse(check_signature(req, "mykey"))
def test_authentication_with_busted_signature_fails(self): creds = self._get_credentials(username="******") req = Request.blank("/") macauthlib.sign_request(req, **creds) signature = macauthlib.utils.parse_authz_header(req)["mac"] authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace(signature, "XXX" + signature) req.environ["HTTP_AUTHORIZATION"] = authz self.app.request(req, status=401)
def test_that_macauth_can_use_per_node_hostname_secrets(self): with tempfile.NamedTemporaryFile() as sf: # Write some secrets to a file. sf.write("host1,0001:secret11,0002:secret12\n") sf.write("host2,0001:secret21,0002:secret22\n") sf.flush() # Configure the plugin to load them. config2 = pyramid.testing.setUp() config2.add_settings(self.DEFAULT_SETTINGS) config2.add_settings({ "who.plugin.macauth.secrets_file": sf.name, }) config2.include("mozsvc.user.whoauth") config2.commit() # It should accept a request signed with the old secret on host1. req = self._make_request(config=config2, environ={ "HTTP_HOST": "host1", }) id = tokenlib.make_token({"userid": 42}, secret="secret11") key = tokenlib.get_token_secret(id, secret="secret11") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request signed with the new secret on host1. req = self._make_request(config=config2, environ={ "HTTP_HOST": "host1", }) id = tokenlib.make_token({"userid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should reject a request signed with secret from other host. req = self._make_request(config=config2, environ={ "HTTP_HOST": "host2", }) id = tokenlib.make_token({"userid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertRaises(Exception, authenticated_userid, req) # It should accept a request signed with the new secret on host2. req = self._make_request(config=config2, environ={ "HTTP_HOST": "host2", }) id = tokenlib.make_token({"userid": 42}, secret="secret22") key = tokenlib.get_token_secret(id, secret="secret22") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should reject unknown hostnames. req = self._make_request(config=config2, environ={ "HTTP_HOST": "host3", }) id = tokenlib.make_token({"userid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertRaises(Exception, authenticated_userid, req)
def test_check_signature_fails_with_far_future_timestamp(self): req = Request.blank("/") # Do an initial request so that the server can # calculate and cache our clock skew. ts = str(int(time.time())) req.authorization = ("MAC", {"ts": ts}) sign_request(req, "myid", "mykey") self.assertTrue(check_signature(req, "mykey")) # Now do one with a far future timestamp. ts = str(int(time.time() + 1000)) req.authorization = ("MAC", {"ts": ts}) sign_request(req, "myid", "mykey") self.assertFalse(check_signature(req, "mykey"))
def test_authentication_with_reused_nonce_fails(self): creds = self._get_credentials(username="******") # First request with that nonce should succeed. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) macauthlib.sign_request(req, **creds) r = self.app.request(req) self.assertEquals(r.body, "*****@*****.**") # Second request with that nonce should fail. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) macauthlib.sign_request(req, **creds) self.app.request(req, status=401)
def test_check_signature_fails_with_reused_nonce(self): # First request with that nonce should succeed. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) sign_request(req, "myid", "mykey") self.assertTrue(check_signature(req, "mykey")) # Second request with that nonce should fail. req = Request.blank("/") req.authorization = ("MAC", {"nonce": "PEPPER"}) sign_request(req, "myid", "mykey") self.assertFalse(check_signature(req, "mykey")) # But it will succeed if using a different nonce cache. self.assertTrue(check_signature(req, "mykey", nonces=NonceCache()))
def test_authentication_with_far_future_timestamp_fails(self): creds = self._get_credentials(username="******") req = Request.blank("/") # Do an initial request so that the server can # calculate and cache our clock skew. ts = str(int(time.time())) req.authorization = ("MAC", {"ts": ts}) macauthlib.sign_request(req, **creds) self.app.request(req, status=200) # Now do one with a far future timestamp. ts = str(int(time.time() + 1000)) req.authorization = ("MAC", {"ts": ts}) macauthlib.sign_request(req, **creds) self.app.request(req, status=401)
def test_authentication_with_expired_timestamp_fails(self): creds = self._get_credentials(username="******") req = self._make_request("/auth") # Do an initial request so that the server can # calculate and cache our clock skew. ts = str(int(time.time())) req.authorization = ("MAC", {"ts": ts}) macauthlib.sign_request(req, **creds) self.app.request(req, status=200) # Now do one with a really old timestamp. ts = str(int(time.time() - 1000)) req.authorization = ("MAC", {"ts": ts}) macauthlib.sign_request(req, **creds) self.app.request(req, status=401)
def test_authentication_with_expired_timestamp_fails(self): req = self._make_request("/auth") creds = self._get_credentials(req, username="******") # Do an initial request so that the server can # calculate and cache our clock skew. ts = str(int(time.time())) req.authorization = ("MAC", {"ts": ts}) macauthlib.sign_request(req, **creds) self.app.request(req, status=200) # Now do one with a really old timestamp. ts = str(int(time.time() - 1000)) req.authorization = ("MAC", {"ts": ts}) macauthlib.sign_request(req, **creds) self.app.request(req, status=401)
def test_that_macauth_is_used_by_default(self): # Generate signed request. req = self.make_request() tokenid, key = self.policy.encode_mac_id(req, 42) macauthlib.sign_request(req, tokenid, key) # That should be enough to authenticate. self.assertEquals(authenticated_userid(req), 42) self.assertEquals(req.user.get("uid"), 42) # Check that it rejects invalid MAC ids. req = self.make_request() macauthlib.sign_request(req, tokenid, key) authz = req.environ["HTTP_AUTHORIZATION"] req.environ["HTTP_AUTHORIZATION"] = authz.replace(tokenid, "XXXXXX") self.assertRaises(HTTPUnauthorized, authenticated_userid, req) # And that the rejection gets raised when accessing request.user self.assertRaises(HTTPUnauthorized, getattr, req, "user")
def test_passing_filelike_as_request_object(self): req = StringIO.StringIO(TEST_REQ) assert not check_signature(req, TEST_KEY, nonces=False) req = StringIO.StringIO(TEST_REQ) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz req = StringIO.StringIO(TEST_REQ_SIGNED) assert check_signature(req, TEST_KEY, nonces=False)
def test_that_macauth_is_used_by_default(self): # Grab the MACAuth plugin so we can sign requests. policy = self.config.registry.queryUtility(IAuthenticationPolicy) api_factory = policy.api_factory mac_plugin = api_factory.authenticators[1][1] # Generate signed request. req = self._make_request() id, key = mac_plugin.encode_mac_id(req, {"userid": 42}) macauthlib.sign_request(req, id, key) # That should be enough to authenticate. self.assertEquals(authenticated_userid(req), 42) # Check that it rejects invalid MAC ids. req = self._make_request() macauthlib.sign_request(req, id, key) authz = req.environ["HTTP_AUTHORIZATION"] req.environ["HTTP_AUTHORIZATION"] = authz.replace(id, "XXX" + id) self.assertRaises(Exception, authenticated_userid, req)
def test_access_to_public_urls(self): # Request with no credentials is allowed access. req = Request.blank("/public") resp = self.app.request(req) self.assertEquals(resp.body, "public") # Request with valid credentials is allowed access. creds = self._get_credentials(username="******") req = Request.blank("/public") macauthlib.sign_request(req, **creds) resp = self.app.request(req) self.assertEquals(resp.body, "public") # Request with invalid credentials gets a 401. req = Request.blank("/public") macauthlib.sign_request(req, **creds) signature = macauthlib.utils.parse_authz_header(req)["mac"] authz = req.environ["HTTP_AUTHORIZATION"] authz = authz.replace(signature, "XXX" + signature) req.environ["HTTP_AUTHORIZATION"] = authz resp = self.app.request(req, status=401)
def _browse(self, url_in, params_in=None, description=None, ok_codes=None, method='post', *args, **kwds): # Automatically add a fresh MACAuth header to the request. if self.auth_token is not None: req = Request.blank(url_in) req.method = method.upper() if params_in and req.method in ("GET", "HEAD",): qs_items = ("%s=%s" % item for item in params_in.iteritems()) req.query_string = "&".join(qs_items) macauthlib.sign_request(req, self.auth_token, self.auth_secret) self.setHeader("Authorization", req.environ["HTTP_AUTHORIZATION"]) # Log the start and end of the request, for debugging purposes. args = (url_in, params_in, description, ok_codes, method) + args self.logi("%s: %s" % (method.upper(), url_in)) try: result = super(StressTest, self)._browse(*args, **kwds) except Exception, e: self.logi(" FAIL: " + url_in + " " + repr(e)) raise
def test_passing_requests_request_as_request_object(self): req = requests.Request( url="http://example.com/resource/1", method="POST", params=[("b", "1"), ("a", "2")], data="hello world", ) assert not check_signature(req, TEST_KEY, nonces=False) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(req, TEST_KEY, nonces=False)
def test_passing_environ_dict_as_request_object(self): req = { "wsgi.url_scheme": "http", "REQUEST_METHOD": "POST", "HTTP_HOST": "example.com", "HTTP_CONTENT_LENGTH": "11", "PATH_INFO": "/resource/1", "QUERY_STRING": "b=1&a=2", "wsgi.input": StringIO.StringIO("hello world") } assert not check_signature(req, TEST_KEY, nonces=False) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(req, TEST_KEY, nonces=False)
def send_job(repo, server, cycles='', duration='', nodes='', redirect_url=''): mac_user = os.environ.get('MACAUTH_USER') mac_secret = os.environ.get('MACAUTH_SECRET') request = Request.blank(server.rstrip('/') + '/test') request.method = 'POST' params = {'repo': repo, 'cycles': cycles, 'duration': duration, 'nodes': nodes, 'redirect_url': redirect_url, 'api_call': 1} request.body = urllib.urlencode(params) request.environ['CONTENT_TYPE'] = 'application/x-www-form-urlencoded' if mac_user is not None: tokenid = tokenlib.make_token({"user": mac_user}, secret=mac_secret) key = tokenlib.get_token_secret(tokenid, secret=mac_secret) sign_request(request, tokenid, key) resp = request.get_response(proxy_exact_request) if resp.status_int == 401: raise ValueError("Authorization Failed!") job_id = resp.json['job_id'] return server.rstrip('/') + '/test/' + job_id
def test_authenticated_request_works(self): creds = self._get_credentials(username="******") req = Request.blank("/") macauthlib.sign_request(req, **creds) r = self.app.request(req) self.assertEquals(r.body, "*****@*****.**")
def __call__(self, req): sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert check_signature(req, TEST_KEY, nonces=False) assert TEST_SIG in req.headers['Authorization'] raise RuntimeError("aborting the request")
def pre_request_hook(req): sign_request(req, TEST_ID, TEST_KEY) assert check_signature(req, TEST_KEY, nonces=False) raise RuntimeError("aborting the request")
def auth_hook(req): macauthlib.sign_request(req, **CREDENTIALS) return req
def test_that_macauth_can_use_per_node_hostname_secrets(self): with tempfile.NamedTemporaryFile() as sf: # Write some secrets to a file. sf.write("http://host1.com,0001:secret11,0002:secret12\n") sf.write("https://host2.com,0001:secret21,0002:secret22\n") sf.write("https://host3.com:444,0001:secret31,0002:secret32\n") sf.flush() # Configure the plugin to load them. config2 = pyramid.testing.setUp() config2.add_settings(DEFAULT_SETTINGS) config2.add_settings({ "macauth.secrets_file": sf.name, }) config2.include("mozsvc.user") config2.commit() # It should accept a request signed with the old secret on host1. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host1.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret11") key = tokenlib.get_token_secret(id, secret="secret11") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request signed with the new secret on host1. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host1.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should reject a request signed with secret from other host. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertRaises(HTTPUnauthorized, authenticated_userid, req) # It should reject a request over plain http when host2 is ssl. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret22") key = tokenlib.get_token_secret(id, secret="secret22") macauthlib.sign_request(req, id, key) self.assertRaises(HTTPUnauthorized, authenticated_userid, req) # It should accept a request signed with the new secret on host2. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com", "wsgi.url_scheme": "https", }) id = tokenlib.make_token({"uid": 42}, secret="secret22") key = tokenlib.get_token_secret(id, secret="secret22") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request to host1 with an explicit port number. # Use some trickery to give host_url a value with default port. req = ExpandoRequest( self.make_request(config=config2, environ={ "HTTP_HOST": "host1.com:80", "wsgi.url_scheme": "http", })) req.host_url = "http://host1.com:80" id = tokenlib.make_token({"uid": 42}, secret="secret11") key = tokenlib.get_token_secret(id, secret="secret11") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request to host2 with an explicit port number. # Use some trickery to give host_url a value with default port. req = ExpandoRequest( self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com:443", "wsgi.url_scheme": "https", })) req.host_url = "https://host2.com:443" id = tokenlib.make_token({"uid": 42}, secret="secret22") key = tokenlib.get_token_secret(id, secret="secret22") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request to host3 on a custom port. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host3.com:444", "wsgi.url_scheme": "https", }) id = tokenlib.make_token({"uid": 42}, secret="secret32") key = tokenlib.get_token_secret(id, secret="secret32") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should reject unknown hostnames. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host4.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertRaises(HTTPUnauthorized, authenticated_userid, req)
def test_authentication_fails_when_macid_has_no_userid(self): req = self._make_request("/auth") creds = self._get_credentials(req, hello="world") macauthlib.sign_request(req, **creds) self.app.request(req, status=401)
def new_do_request(req, *args, **kwds): macauthlib.sign_request(req, self.auth_token, self.auth_secret) return orig_do_request(req, *args, **kwds)
def test_check_signature_fails_with_non_mac_scheme(self): req = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" req = Request.from_bytes(req) sign_request(req, "myid", "mykey") req.authorization = ("OAuth", req.authorization[1]) self.assertFalse(check_signature(req, "mykey"))
def test_sign_request_throws_away_other_auth_params(self): req = Request.blank("/") req.authorization = ("Digest", {"response": "helloworld"}) sign_request(req, "id", "key") self.assertEquals(req.authorization[0], "MAC")
def test_passing_webob_request_as_request_object(self): req = webob.Request.from_bytes(TEST_REQ) assert not check_signature(req, TEST_KEY, nonces=False) authz = sign_request(req, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(req, TEST_KEY, nonces=False)
def test_that_req_user_can_be_replaced(self): req = self.make_request() tokenid, key = self.policy.encode_mac_id(req, 42) macauthlib.sign_request(req, tokenid, key) req.user = {"uid": 7} self.assertEquals(req.user, {"uid": 7})
def test_authentication_fails_when_macid_has_no_userid(self): creds = self._get_credentials(hello="world") req = Request.blank("/") macauthlib.sign_request(req, **creds) self.app.request(req, status=401)
def test_passing_bytestring_as_request_object(self): assert not check_signature(TEST_REQ, TEST_KEY, nonces=False) authz = sign_request(TEST_REQ, TEST_ID, TEST_KEY, params=TEST_PARAMS) assert TEST_SIG in authz assert check_signature(TEST_REQ_SIGNED, TEST_KEY, nonces=False)
def _make_signed_request(self, userid, *args, **kwds): req = self._make_request(*args, **kwds) creds = self._get_credentials(req, userid=userid) macauthlib.sign_request(req, **creds) return req
def test_that_macauth_can_use_per_node_hostname_secrets(self): with tempfile.NamedTemporaryFile() as sf: # Write some secrets to a file. sf.write("http://host1.com,0001:secret11,0002:secret12\n") sf.write("https://host2.com,0001:secret21,0002:secret22\n") sf.write("https://host3.com:444,0001:secret31,0002:secret32\n") sf.flush() # Configure the plugin to load them. config2 = pyramid.testing.setUp() config2.add_settings(DEFAULT_SETTINGS) config2.add_settings({ "macauth.secrets_file": sf.name, }) config2.include("mozsvc.user") config2.commit() # It should accept a request signed with the old secret on host1. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host1.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret11") key = tokenlib.get_token_secret(id, secret="secret11") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request signed with the new secret on host1. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host1.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should reject a request signed with secret from other host. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertRaises(HTTPUnauthorized, authenticated_userid, req) # It should reject a request over plain http when host2 is ssl. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret22") key = tokenlib.get_token_secret(id, secret="secret22") macauthlib.sign_request(req, id, key) self.assertRaises(HTTPUnauthorized, authenticated_userid, req) # It should accept a request signed with the new secret on host2. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com", "wsgi.url_scheme": "https", }) id = tokenlib.make_token({"uid": 42}, secret="secret22") key = tokenlib.get_token_secret(id, secret="secret22") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request to host1 with an explicit port number. # Use some trickery to give host_url a value with default port. req = ExpandoRequest(self.make_request(config=config2, environ={ "HTTP_HOST": "host1.com:80", "wsgi.url_scheme": "http", })) req.host_url = "http://host1.com:80" id = tokenlib.make_token({"uid": 42}, secret="secret11") key = tokenlib.get_token_secret(id, secret="secret11") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request to host2 with an explicit port number. # Use some trickery to give host_url a value with default port. req = ExpandoRequest(self.make_request(config=config2, environ={ "HTTP_HOST": "host2.com:443", "wsgi.url_scheme": "https", })) req.host_url = "https://host2.com:443" id = tokenlib.make_token({"uid": 42}, secret="secret22") key = tokenlib.get_token_secret(id, secret="secret22") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should accept a request to host3 on a custom port. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host3.com:444", "wsgi.url_scheme": "https", }) id = tokenlib.make_token({"uid": 42}, secret="secret32") key = tokenlib.get_token_secret(id, secret="secret32") macauthlib.sign_request(req, id, key) self.assertEquals(authenticated_userid(req), 42) # It should reject unknown hostnames. req = self.make_request(config=config2, environ={ "HTTP_HOST": "host4.com", }) id = tokenlib.make_token({"uid": 42}, secret="secret12") key = tokenlib.get_token_secret(id, secret="secret12") macauthlib.sign_request(req, id, key) self.assertRaises(HTTPUnauthorized, authenticated_userid, req)