def test_authenticate_invalid(self):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
otheruser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
nonce=python_digest.calculate_nonce(time.time(),
secret=settings.SECRET_KEY)
# an invalid request
fourth_request = self.create_mock_request_for_header(
'Digest blah blah blah')
# an invalid request
fifth_request = self.create_mock_request_for_header(None)
# an invalid nonce
sixth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=1,
nonce=python_digest.calculate_nonce(time.time(), secret='bad secret'))
# an invalid request digest (wrong password)
seventh_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
# attack attempts / failures don't invalidate the session or increment nonce_cont
eighth_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
eighth_request.user = testuser
# mismatched URI
ninth_request = self.create_mock_request(
username=testuser.username, nonce=nonce, password='******',
nonce_count=4, request_path='/different/path')
# stale nonce
tenth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=4,
nonce=python_digest.calculate_nonce(
time.time()-60000, secret=settings.SECRET_KEY))
# once the nonce is used by one user, can't be reused by another
eleventh_request = self.create_mock_request(
username=otheruser.username, password='******', nonce=nonce,
nonce_count=4)
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertFalse(authenticator.authenticate(fourth_request))
self.assertFalse(authenticator.authenticate(fifth_request))
self.assertFalse(authenticator.authenticate(sixth_request))
self.assertFalse(authenticator.authenticate(seventh_request))
self.assertTrue(authenticator.authenticate(eighth_request))
self.assertFalse(authenticator.authenticate(ninth_request))
self.assertFalse(authenticator.authenticate(tenth_request))
self.assertFalse(authenticator.authenticate(eleventh_request))
def test_authenticate_invalid(self):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
otheruser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
nonce=python_digest.calculate_nonce(time.time(),
secret=settings.SECRET_KEY)
# an invalid request
fourth_request = self.create_mock_request_for_header(
'Digest blah blah blah')
# an invalid request
fifth_request = self.create_mock_request_for_header(None)
# an invalid nonce
sixth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=1,
nonce=python_digest.calculate_nonce(time.time(), secret='bad secret'))
# an invalid request digest (wrong password)
seventh_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
# attack attempts / failures don't invalidate the session or increment nonce_cont
eighth_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
eighth_request.user = testuser
# mismatched URI
ninth_request = self.create_mock_request(
username=testuser.username, nonce=nonce, password='******',
nonce_count=4, request_path='/different/path')
# stale nonce
tenth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=4,
nonce=python_digest.calculate_nonce(
time.time()-60000, secret=settings.SECRET_KEY))
# once the nonce is used by one user, can't be reused by another
eleventh_request = self.create_mock_request(
username=otheruser.username, password='******', nonce=nonce,
nonce_count=4)
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertFalse(authenticator.authenticate(fourth_request))
self.assertFalse(authenticator.authenticate(fifth_request))
self.assertFalse(authenticator.authenticate(sixth_request))
self.assertFalse(authenticator.authenticate(seventh_request))
self.assertTrue(authenticator.authenticate(eighth_request))
self.assertFalse(authenticator.authenticate(ninth_request))
self.assertFalse(authenticator.authenticate(tenth_request))
self.assertFalse(authenticator.authenticate(eleventh_request))
def test_authenticate_nonce(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
otheruser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(
first_request
))
with transaction.commit_on_success():
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
def test_authenticate_nonce(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(
first_request
))
with transaction.commit_on_success():
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
def test_authenticate_missing(self):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
# if the partial digest is not in the DB, authentication fails
twelfth_request = self.create_mock_request(username=testuser.username,
password='******',
nonce_count=3)
authenticator = HttpDigestAuthenticator()
PartialDigest.objects.all().delete()
self.assertFalse(authenticator.authenticate(twelfth_request))
def test_authenticate_missing(self):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
# if the partial digest is not in the DB, authentication fails
twelfth_request = self.create_mock_request(username=testuser.username,
password='******',
nonce_count=3)
authenticator = HttpDigestAuthenticator()
PartialDigest.objects.all().delete()
self.assertFalse(authenticator.authenticate(twelfth_request))
def _get_http_auth_header(username, password, uri):
return build_authorization_request(
username,
'GET',
uri,
3,
nonce=calculate_nonce(time.time(), settings.SECRET_KEY),
realm='DJANGO',
opaque='myopaque',
password=password,
)
def _get_http_auth_header(username, password, uri):
return build_authorization_request(
username,
'GET',
uri,
3,
nonce=calculate_nonce(time.time(), settings.SECRET_KEY),
realm='DJANGO',
opaque='myopaque',
password=password,
)
def test_authenticate_nonce(self):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
nonce = python_digest.calculate_nonce(time.time(),
secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******',
nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******',
nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******',
nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
assert 'HTTP_AUTHORIZATION' in first_request.META
assert python_digest.is_digest_credential(
first_request.META['HTTP_AUTHORIZATION'])
self.assertTrue(
HttpDigestAuthenticator.contains_digest_credentials(first_request))
transaction.set_autocommit(False)
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
transaction.commit()
transaction.set_autocommit(True)
def create_mock_request(self, username='******', realm=None,
method='GET', uri='/dummy/uri', nonce=None, request_digest=None,
algorithm=None, opaque='dummy-opaque', qop='auth', nonce_count=1,
client_nonce=None, password='******', request_path=None):
if not realm:
realm = get_setting('DIGEST_REALM', DEFAULT_REALM)
if not nonce:
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
if not request_path:
request_path = uri
header = python_digest.build_authorization_request(
username=username, realm=realm, method=method, uri=uri, nonce=nonce, opaque=opaque,
nonce_count=nonce_count, password=password, request_digest=request_digest,
client_nonce=client_nonce)
request = self.create_mock_request_for_header(header)
expect(request.method).result(method)
expect(request.path).result(request_path)
return request
def create_mock_request(self, username='******', realm=None,
method='GET', uri='/dummy/uri', nonce=None, request_digest=None,
algorithm=None, opaque='dummy-opaque', qop='auth', nonce_count=1,
client_nonce=None, password='******', request_path=None):
if not realm:
realm = get_setting('DIGEST_REALM', DEFAULT_REALM)
if not nonce:
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
if not request_path:
request_path = uri
header = python_digest.build_authorization_request(
username=username, realm=realm, method=method, uri=uri, nonce=nonce, opaque=opaque,
nonce_count=nonce_count, password=password, request_digest=request_digest,
client_nonce=client_nonce)
request = self.create_mock_request_for_header(header)
expect(request.method).result(method)
expect(request.path).result(request_path)
return request
def test_disable_nonce_count_enforcement(self):
with patch(settings, DIGEST_ENFORCE_NONCE_COUNT=False):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
nonce=python_digest.calculate_nonce(time.time(),
secret=settings.SECRET_KEY)
first_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will succeed
second_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce)
second_request.user = testuser
authenticator = HttpDigestAuthenticator()
self.assertTrue(authenticator.authenticate(first_request))
self.assertTrue(authenticator.authenticate(second_request))
def test_disable_nonce_count_enforcement(self):
with patch(settings, DIGEST_ENFORCE_NONCE_COUNT=False):
testuser = User.objects.create_user(username='******',
email='*****@*****.**',
password='******')
nonce = python_digest.calculate_nonce(time.time(),
secret=settings.SECRET_KEY)
first_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will succeed
second_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce)
second_request.user = testuser
authenticator = HttpDigestAuthenticator()
self.assertTrue(authenticator.authenticate(first_request))
self.assertTrue(authenticator.authenticate(second_request))
def test_authenticate_nonce(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
authenticator = HttpDigestAuthenticator()
assert 'HTTP_AUTHORIZATION' in first_request.META
assert python_digest.is_digest_credential(first_request.META['HTTP_AUTHORIZATION'])
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(
first_request
))
transaction.set_autocommit(False)
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
transaction.rollback()
self.assertTrue(authenticator.authenticate(third_request))
transaction.commit()
transaction.set_autocommit(True)
def test_authenticate(self):
testuser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
otheruser = User.objects.create_user(
username='******', email='*****@*****.**', password='******')
nonce=python_digest.calculate_nonce(time.time(), secret=settings.SECRET_KEY)
first_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
first_request.user = testuser
# same nonce, same nonce count, will fail
second_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce)
# same nonce, new nonce count, it works
third_request = self.create_mock_request(username=testuser.username,
password='******', nonce=nonce,
nonce_count=2)
third_request.user = testuser
# an invalid request
fourth_request = self.create_mock_request_for_header(
'Digest blah blah blah')
# an invalid request
fifth_request = self.create_mock_request_for_header(None)
# an invalid nonce
sixth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=1,
nonce=python_digest.calculate_nonce(time.time(), secret='bad secret'))
# an invalid request digest (wrong password)
seventh_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
# attack attempts / failures don't invalidate the session or increment nonce_cont
eighth_request = self.create_mock_request(
username=testuser.username, password='******', nonce=nonce,
nonce_count=3)
eighth_request.user = testuser
# mismatched URI
ninth_request = self.create_mock_request(
username=testuser.username, nonce=nonce, password='******',
nonce_count=4, request_path='/different/path')
# stale nonce
tenth_request = self.create_mock_request(
username=testuser.username, password='******', nonce_count=4,
nonce=python_digest.calculate_nonce(
time.time()-60000, secret=settings.SECRET_KEY))
# once the nonce is used by one user, can't be reused by another
eleventh_request = self.create_mock_request(
username=otheruser.username, password='******', nonce=nonce,
nonce_count=4)
# if the partial digest is not in the DB, authentication fails
twelfth_request = self.create_mock_request(username=testuser.username,
password='******', nonce_count=3)
# a request for Basic auth
thirteenth_request = self.create_mock_request_for_header(
'Basic YmxhaDpibGFo')
authenticator = HttpDigestAuthenticator()
with self.mocker:
self.assertTrue(HttpDigestAuthenticator.contains_digest_credentials(first_request))
self.assertTrue(authenticator.authenticate(first_request))
self.assertFalse(authenticator.authenticate(second_request))
self.assertTrue(authenticator.authenticate(third_request))
self.assertFalse(authenticator.authenticate(fourth_request))
self.assertFalse(authenticator.authenticate(fifth_request))
self.assertFalse(authenticator.authenticate(sixth_request))
self.assertFalse(authenticator.authenticate(seventh_request))
self.assertTrue(authenticator.authenticate(eighth_request))
self.assertFalse(authenticator.authenticate(ninth_request))
self.assertFalse(authenticator.authenticate(tenth_request))
self.assertFalse(authenticator.authenticate(eleventh_request))
PartialDigest.objects.all().delete()
self.assertFalse(authenticator.authenticate(twelfth_request))
self.assertFalse(authenticator.authenticate(thirteenth_request))
