U  W[\@sdZddlmZmZddlmZddlmZddlm Z m Z ddlm Z ddl m Z ddlmZmZdd lmZmZdd lmZmZdd lmZdd lmZdd lmZddlmZedredrddl m!Z!ddl"m#Z#ddl$m%Z%m&Z&m'Z'ddl(m)Z)n dZ%GdddZ'GdddZ&Gddde&j*Z+Gddde&j*Z,Gddde&j*Z-Gd d!d!e'j.Z/eeGd"d#d#e0Z1eeGd$d%d%e0Z2eeGd&d'd'e0Z3eeGd(d)d)e0Z4Gd*d+d+ej5Z6Gd,d-d-ej5Z7Gd.d/d/ej5Z8Gd0d1d1ej5Z9dS)2zT Tests for the implementation of the ssh-userauth service. Maintainer: Paul Swartz )absolute_importdivision) implementer)ICredentialsChecker)IUsernamePasswordISSHPrivateKey) IAnonymous)UnauthorizedLogin)IRealmPortal) ConchErrorValidPublicKey)defertask)loopback) requireModule)unittest) _bytesChrZ cryptographyZpyasn1)NS)SSHProtocolChecker)keysuserauth transport)keydataNc@seZdZGdddZdS)rc@seZdZdZdS)ztransport.SSHTransportBaseQ A stub class so that later class definitions won't die. N__name__ __module__ __qualname____doc__r r B/usr/lib/python3/dist-packages/twisted/conch/test/test_userauth.pySSHTransportBase$sr"N)rrrr"r r r r!r#src@seZdZGdddZdS)rc@seZdZdZdS)zuserauth.SSHUserAuthClientrNrr r r r!SSHUserAuthClient*sr#N)rrrr#r r r r!r)src@s2eZdZdZddZddZd ddZd d ZdS) ClientUserAuthz" A mock user auth client. cCs,|jrtjtjSttjtjSdS)z If this is the first time we've been called, return a blob for the DSA key. Otherwise, return a blob for the RSA key. N) Z lastPublicKeyrKey fromStringrpublicRSA_opensshrsucceedpublicDSA_opensshselfr r r! getPublicKey6s  zClientUserAuth.getPublicKeycCsttjtjS)z@ Return the private key object for the RSA key. )rr(rr%r&rprivateRSA_opensshr*r r r! getPrivateKeyCszClientUserAuth.getPrivateKeyNcCs tdS)z/ Return 'foo' as the password. foorr()r+promptr r r! getPasswordJszClientUserAuth.getPasswordcCs tdS)z> Return 'foo' as the answer to two questions. )foor3r0)r+nameZ informationZanswersr r r!getGenericAnswersQsz ClientUserAuth.getGenericAnswers)N)rrrrr,r.r2r5r r r r!r$1s   r$c@s eZdZdZddZddZdS) OldClientAuthz~ The old SSHUserAuthClient returned a cryptography key object from getPrivateKey() and a string from getPublicKey cCsttjtjjSN)rr(rr%r&rr-Z keyObjectr*r r r!r._s zOldClientAuth.getPrivateKeycCstjtjSr7)rr%r&rr'blobr*r r r!r,dszOldClientAuth.getPublicKeyNrrrrr.r,r r r r!r6Ysr6c@s eZdZdZddZddZdS)ClientAuthWithoutPrivateKeyzP This client doesn't have a private key, but it does have a public key. cCsdSr7r r*r r r!r.nsz)ClientAuthWithoutPrivateKey.getPrivateKeycCstjtjSr7)rr%r&rr'r*r r r!r,rsz(ClientAuthWithoutPrivateKey.getPublicKeyNr9r r r r!r:isr:c@sPeZdZdZGdddeZGdddeZddZdd Zd d Z d d Z dS) FakeTransporta_ L{userauth.SSHUserAuthServer} expects an SSH transport which has a factory attribute which has a portal attribute. Because the portal is important for testing authentication, we need to be able to provide an interesting portal object to the L{SSHUserAuthServer}. In addition, we want to be able to capture any packets sent over the transport. @ivar packets: a list of 2-tuples: (messageType, data). Each 2-tuple is a sent packet. @type packets: C{list} @param lostConnecion: True if loseConnection has been called on us. @type lostConnection: L{bool} c@seZdZdZdZddZdS)zFakeTransport.ServicezW A mock service, representing the other service offered by the server. nancycCsdSr7r r*r r r!serviceStartedsz$FakeTransport.Service.serviceStartedN)rrrrr4r=r r r r!Servicesr>c@seZdZdZddZdS)zFakeTransport.Factoryzg A mock factory, representing the factory that spawned this user auth service. cCs|dkrtjSdS)z2 Return our fake service. noneN)r;r>)r+rservicer r r! getServicesz FakeTransport.Factory.getServiceN)rrrrrAr r r r!FactorysrBcCs(||_||j_d|_||_g|_dSNF)rBfactoryportallostConnectionrpackets)r+rEr r r!__init__s  zFakeTransport.__init__cCs|j||fdS)z8 Record the packet sent by the service. N)rGappend)r+Z messageTypemessager r r! sendPacketszFakeTransport.sendPacketcCsdS)z Pretend that this transport encrypts traffic in both directions. The SSHUserAuthServer disables password authentication if the transport isn't encrypted. Tr )r+ directionr r r! isEncryptedszFakeTransport.isEncryptedcCs d|_dSNT)rFr*r r r!loseConnectionszFakeTransport.loseConnectionN) rrrrobjectr>rBrHrKrMrOr r r r!r;ws  r;c@seZdZdZddZdS)Realmz A mock realm for testing L{userauth.SSHUserAuthServer}. This realm is not actually used in the course of testing, so it returns the simplest thing that could possibly work. cGst|ddddfS)NrcSsdSr7r r r r r!z%Realm.requestAvatar..r0)r+ZavatarIdZmindZ interfacesr r r! requestAvatarszRealm.requestAvatarN)rrrrrTr r r r!rQsrQc@seZdZdZefZddZdS)PasswordCheckerz A very simple username/password checker which authenticates anyone whose password matches their username and rejects all others. cCs&|j|jkrt|jSttdS)NzInvalid username/password pair)usernameZpasswordrr(failr )r+credsr r r!requestAvatarIds  zPasswordChecker.requestAvatarIdN)rrrrrcredentialInterfacesrYr r r r!rUsrUc@seZdZdZefZddZdS)PrivateKeyCheckerz A very simple public key checker which authenticates anyone whose public/private keypair is the same keydata.public/privateRSA_openssh. cCsX|jtjtjkrN|jdk rHtj|j}||j|jrN|j Snt t dSr7) r8rr%r&rr' signatureZverifysigDatarVr r )r+rXobjr r r!rYs z!PrivateKeyChecker.requestAvatarIdN)rrrrrrZrYr r r r!r[sr[c@seZdZdZefZdS)AnonymousCheckerzI A simple checker which isn't supported by L{SSHUserAuthServer}. N)rrrrrrZr r r r!r_sr_c@seZdZdZedkrdZddZddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+ZdS),SSHUserAuthServerTestsz& Tests for SSHUserAuthServer. Ncannot run without cryptographycCsbt|_t|j|_|jt|jtt|_ t |j|j _ |j |j j dSr7)rQrealmr rEregisterCheckerrUr[rSSHUserAuthServer authServerr;rr=supportedAuthenticationssortr*r r r!setUps   zSSHUserAuthServerTests.setUpcCs|jd|_dSr7)reserviceStoppedr*r r r!tearDown s zSSHUserAuthServerTests.tearDowncCs(||jjjdtjtddfdS)z; Check that the authentication has failed. spassword,publickeyN) assertEqualrerrGrZMSG_USERAUTH_FAILURErr+ignoredr r r! _checkFaileds  z#SSHUserAuthServerTests._checkFailedcCs,|jtdtdtd}||jS)z A client may request a list of authentication 'method name' values that may continue by using the "none" authentication 'method name'. See RFC 4252 Section 5.2. r/sservicer?)ressh_USERAUTH_REQUESTr addCallbackrp)r+dr r r!test_noneAuthenticationsz.SSHUserAuthServerTests.test_noneAuthenticationcsJdtdtdtdtdtdg}j|}fdd}||S)z When provided with correct password authentication information, the server should respond by sending a MSG_USERAUTH_SUCCESS message with no other data. See RFC 4252, Section 5.1. rSr/r?passwordrcsjjjtjdfgdSNrSrmrerrGrZMSG_USERAUTH_SUCCESSror*r r!check2s zKSSHUserAuthServerTests.test_successfulPasswordAuthentication..check)joinrchrrerqrrr+packetrsryr r*r!%test_successfulPasswordAuthentication's   z.check)rr%r&rr'r8r-rZsshTyperer sessionIDsignr{rMSG_USERAUTH_REQUESTrqrr)r+r8r^r}r\rsryr r*r!'test_successfulPrivateKeyAuthenticationLs     z>SSHUserAuthServerTests.test_successfulPrivateKeyAuthenticationcstdd}dd}fdd}||jd|||jd|||jd |td td td td }|j||tS)z ssh_USERAUTH_REQUEST should raise a ConchError if tryAuth returns None. Added to catch a bug noticed by pyflakes. cSs|ddS)Nz&request should have raised ConochError)rWrnr r r!mockCbFinishedAuthfszOSSHUserAuthServerTests.test_requestRaisesConchError..mockCbFinishedAuthcSsdSr7r )Zkinduserdatar r r! mockTryAuthiszHSSHUserAuthServerTests.test_requestRaisesConchError..mockTryAuthcs|jdSr7)Zerrbackvalue)reasonrsr r! mockEbBadAuthlszJSSHUserAuthServerTests.test_requestRaisesConchError..mockEbBadAuthtryAuthZ_cbFinishedAuthZ _ebBadAuthsuserr?s public-keysdata)rZDeferredpatchrerrq assertFailurer )r+rrrr}r rr!test_requestRaisesConchError_s   z3SSHUserAuthServerTests.test_requestRaisesConchErrorcsbtjtjtdtdtddtdt}j|}fdd}| |S)z@ Test that verifying a valid private key works. r/r?rrlssh-rsacs*jjjtjtdtfgdS)Nr)rmrerrGrMSG_USERAUTH_PK_OKrrxr8r+r r!rys z@SSHUserAuthServerTests.test_verifyValidPrivateKey..check) rr%r&rr'r8rrerqrrr|r rr!test_verifyValidPrivateKeyzs z1SSHUserAuthServerTests.test_verifyValidPrivateKeycCsVtjtj}tdtdtddtdt|}|j|}| |j S)d Test that private key authentication fails when the public key is invalid. r/r?rrlsssh-dsa rr%r&rr)r8rrerqrrrpr+r8r}rsr r r!3test_failedPrivateKeyAuthenticationWithoutSignatures zJSSHUserAuthServerTests.test_failedPrivateKeyAuthenticationWithoutSignaturecCs|tjtj}tjtj}tdtdtddtdt|t||}d|j j _ |j |}| |jS)rr/r?rrrr)rr%r&rr'r8r-rrrerrrqrrrp)r+r8r^r}rsr r r!0test_failedPrivateKeyAuthenticationWithSignatures   zGSSHUserAuthServerTests.test_failedPrivateKeyAuthenticationWithSignaturecCsjtjtj}td|dd}tdtdtddtdt|}|j|}| |j S) z Private key authentication fails when the public key type is unsupported or the public key is corrupt. s ssh-bad-type Nr/r?rrlrrrr r r!test_unsupported_publickeys z1SSHUserAuthServerTests.test_unsupported_publickeycCsRt}t|j|_|jt|||j | |j ddgdS)ah L{SSHUserAuthServer} sets up C{SSHUserAuthServer.supportedAuthentications} by checking the portal's credentials interfaces and mapping them to SSH authentication method strings. If the Portal advertises an interface that L{SSHUserAuthServer} can't map, it should be ignored. This is a white box test. rurN) rrdr;rErrcr_r=rirfrgrmr+serverr r r! test_ignoreUnknownCredInterfacess   z7SSHUserAuthServerTests.test_ignoreUnknownCredInterfacescCs|d|jjt}t|j|_dd|j_| | | d|jt}t|j|_dd|j_| | |d|jdS)z Test that the userauth service does not advertise password authentication if the password would be send in cleartext. rucSsdSrCr xr r r!rRrSzISSHUserAuthServerTests.test_removePasswordIfUnencrypted..cSs|dkSNinr rr r r!rRrSN) ZassertInrerfrrdr;rErrMr=riZ assertNotIn)r+clearAuthServerhalfAuthServerr r r! test_removePasswordIfUnencrypteds    z7SSHUserAuthServerTests.test_removePasswordIfUnencryptedcCst|j}|tt}t||_dd|j_| | | |j dgt}t||_dd|j_| | | |j dgdS)z If the L{SSHUserAuthServer} is not advertising passwords, then an unencrypted connection should not cause any warnings or exceptions. This is a white box test. cSsdSrCr rr r r!rRrSzSSSHUserAuthServerTests.test_unencryptedConnectionWithoutPasswords..rcSs|dkSrr rr r r!rRrSN) r rbrcr[rrdr;rrMr=rirmrf)r+rErrr r r!*test_unencryptedConnectionWithoutPasswordss$      zASSHUserAuthServerTests.test_unencryptedConnectionWithoutPasswordscCs~t}t|_t|j|_||j d| | |jj tj dttjtdtdfg||jjdS)z0 Test that the login times out. 鰚syou took too longrSN)rrdrrrr;rErr=rrirmrGMSG_DISCONNECTr{)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLErZ assertTruerFr+ZtimeoutAuthServerr r r!test_loginTimeouts$    z(SSHUserAuthServerTests.test_loginTimeoutcCs\t}t|_t|j|_|| |j d| |jj g| |jjdS)zN Test that stopping the service also stops the login timeout. rN)rrdrrrr;rErr=rirrmrG assertFalserFrr r r!test_cancelLoginTimeout s   z.SSHUserAuthServerTests.test_cancelLoginTimeoutcsrdtdtdtdtdtdg}tj_tdD]}j|}jj dq<fd d }| |S) zm Test that the server disconnects if the client fails authentication too many times. rSr/r?rurrrcs:jjjdtjdttjtdtdfdS)Nrkrstoo many bad authsrS)rmrerrGrr{rrrxr*r r!ry$sz:SSHUserAuthServerTests.test_tooManyAttempts..check) rzrr{rrrerrangerqrrr)r+r}irsryr r*r!test_tooManyAttemptss    z+SSHUserAuthServerTests.test_tooManyAttemptscCsLtdtdtdtdtd}t|j_|j|}||jS)zo If the user requests a service that we don't support, the authentication should fail. r/rSrur) rr{rrrerrqrrrprr r r!test_failIfUnknownService-s(  z0SSHUserAuthServerTests.test_failIfUnknownServicecsVdd}jd|jddfdd}jddd}|t|S) aZ tryAuth() has two edge cases that are difficult to reach. 1) an authentication method auth_* returns None instead of a Deferred. 2) an authentication type that is defined does not have a matching auth_* method. Both these cases should return a Deferred which fails with a ConchError. cSsdSr7r )r}r r r!mockAuthCsz>SSHUserAuthServerTests.test_tryAuthEdgeCases..mockAuthZauth_publickeyZ auth_passwordNcsjddd}|tS)Nru)rerrr )roZd2r*r r! secondTestIsz@SSHUserAuthServerTests.test_tryAuthEdgeCases..secondTestr)rrerrr rr)r+rrZd1r r*r!test_tryAuthEdgeCases8s  z,SSHUserAuthServerTests.test_tryAuthEdgeCases)rrrrrskiprhrjrprtr~rrrrrrrrrrrrrrrr r r r!r`s.     r`c@seZdZdZedkrdZddZddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZddZd d!ZdS)"SSHUserAuthClientTestsz& Tests for SSHUserAuthClient. NracCs4tdt|_td|j_d|jj_|jdS)Nr/r)r$r;r> authClientrrr=r*r r r!rh[s  zSSHUserAuthClientTests.setUpcCs|jd|_dSr7)rrir*r r r!rjbs zSSHUserAuthClientTests.tearDowncCsT||jjd||jjjd||jjjtjt dt dt dfgdS)z; Test that client is initialized properly. r/r<r?N) rmrrinstancer4rrGrrrr*r r r! test_initgs z SSHUserAuthClientTests.test_initcs@dgfdd}||jj_|jd|d|jjdS)z9 Test that the client succeeds properly. Ncs |d<dS)Nrr )r@rr r!stubSetServicewszDSSHUserAuthClientTests.test_USERAUTH_SUCCESS..stubSetServicerSr)rrZ setServiceZssh_USERAUTH_SUCCESSrmr)r+rr rr!test_USERAUTH_SUCCESSrs    z,SSHUserAuthClientTests.test_USERAUTH_SUCCESSc Cs|jtdd||jjjdtjtdtdtddtdttj t j  f|jtddttj t j }||jjjdtjtdtdtddtd|f|jtdttj t j t|jjjttjtdtdtddtd|}tj t j}||jjjdtjtdtdtddtd|t||fd S) zJ Test that the client can authenticate with a public key. rrlrkr/r<sssh-dssrN)rssh_USERAUTH_FAILURErrmrrGrrrr%r&rr)r8r'ssh_USERAUTH_PK_OKrr{r-r)r+r8r]r^r r r!test_publickey~sv   z%SSHUserAuthClientTests.test_publickeycCsztdt}td|_d|j_||dg|j_|| d| |jjt j t dt dt dfgdS)z If the SSHUserAuthClient doesn't return anything from signData, the client should start the authentication over again by requesting 'none' authentication. r/NrrrSr<r?)r:r;r>rrr=rrG assertIsNonerrmrrr)r+rr r r!!test_publickey_without_privatekeys   z8SSHUserAuthClientTests.test_publickey_without_privatekeycs.ddj_jd}fdd}||S)z{ If there's no public key, auth_publickey should return a Deferred called back with a False value. cSsdSr7r rr r r!rRrSz:SSHUserAuthClientTests.test_no_publickey..rcs|dSr7)rresultr*r r!rysz7SSHUserAuthClientTests.test_no_publickey..check)rr,rrr)r+rsryr r*r!test_no_publickeys   z(SSHUserAuthClientTests.test_no_publickeycCs|jtdd||jjjdtjtdtdtddtdf|jtdtd||jjjdtjtdtdtddtddfd S) zx Test that the client can authentication with a password. This includes changing the password. rurlrkr/r<rSrrN) rrrrmrrGrrrr*r r r! test_passwords( z$SSHUserAuthClientTests.test_passwordcCs"dd|j_||jddS)zK If getPassword returns None, tryAuth should return False. cSsdSr7r r r r r!rRrSz9SSHUserAuthClientTests.test_no_password..ruN)rr2rrr*r r r!test_no_passwords z'SSHUserAuthClientTests.test_no_passwordcCs`|jtdtdtddtdd||jjjdtjdtdtdfdS) zj Make sure that the client can authenticate with the keyboard interactive method. rSss Password: rlrksr/N)rZ'ssh_USERAUTH_PK_OK_keyboard_interactiverrmrrGrZMSG_USERAUTH_INFO_RESPONSEr*r r r!test_keyboardInteractives z/SSHUserAuthClientTests.test_keyboardInteractivecCsPd|j_g|jj_|jd||jjjtjtdtdtdfgdS)z If C{SSHUserAuthClient} gets a MSG_USERAUTH_PK_OK packet when it's not expecting it, it should fail the current authentication and move on to the next type. sunknownrSr/r<r?N) rZlastAuthrrGrrmrrrr*r r r!"test_USERAUTH_PK_OK_unknown_methods    z9SSHUserAuthClientTests.test_USERAUTH_PK_OK_unknown_methodcsfdd}fdd}|j_|j_jtddjjjdtj tdtd td dtdfjtd d jjjd dddgdS)z ssh_USERAUTH_FAILURE should sort the methods by their position in SSHUserAuthClient.preferredOrder. Methods that are not in preferredOrder should be sorted at the end of that list. csjjdddS)N here is datarrrKr r*r r!auth_firstmethodszNSSHUserAuthClientTests.test_USERAUTH_FAILURE_sorting..auth_firstmethodcsjjdddS)N other dataTrr r*r r!auth_anothermethodszPSSHUserAuthClientTests.test_USERAUTH_FAILURE_sorting..auth_anothermethodsanothermethod,passwordrlrkr/r<rus"firstmethod,anothermethod,passwordrN)rr)rr) rrrrrrmrrGrr)r+rrr r*r!test_USERAUTH_FAILURE_sortings,    z4SSHUserAuthClientTests.test_USERAUTH_FAILURE_sortingcCsT|jtdd|jtdd||jjjdtjdtddfdS) z If there are no more available user authentication messages, the SSHUserAuthClient should disconnect with code DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE. rurlrrkss(no more authentication methods availablesN)rrrrmrrGrr*r r r!%test_disconnectIfNoMoreAuthentication sz.checkcs*|tddd}|jSr7)rrr5rrrWrr)rcheck3r+r r!r1s z4SSHUserAuthClientTests.test_defaults..check2cSs|tdSr7)rrrr r r!r5sz4SSHUserAuthClientTests.test_defaults..check3) rr#r;r>rr,r.rrrWr)r+ryrsr )rrrr+r! test_defaults$sz$SSHUserAuthClientTests.test_defaults)rrrrrrrhrjrrrrrrrrrrrrrr r r r!rRs$    rc@s.eZdZedkrdZGdddZddZdS) LoopbackTestsN)cannot run without cryptography or PyASN1c@s"eZdZGdddZddZdS)zLoopbackTests.Factoryc@s eZdZdZddZddZdS)zLoopbackTests.Factory.Service TestServicecCs|jdSr7)rrOr*r r r!r=Gsz,LoopbackTests.Factory.Service.serviceStartedcCsdSr7r r*r r r!riKsz,LoopbackTests.Factory.Service.serviceStoppedN)rrrr4r=rir r r r!r>Csr>cCs|jSr7)r>)r+Zavatarr4r r r!rAOsz LoopbackTests.Factory.getServiceN)rrrr>rAr r r r!rBBs rBcs ttdj}t_j_ddj_t|_||j_dj_ |j_ ddj_ |j_ j_ d_ t }t|}tttfdd_||jj _tj|j}ddjj_d d|jj_|fd d }||S) zW Test that the userauth server and client play nicely with each other. r/cSsdSrNr rr r r!rR]rSz-LoopbackTests.test_loopback..rScSsdSr7r r r r r!rRcrSrcstj|dkS)Nr)lenZsuccessfulCredentials)ZaId)checkerr r!rRmscSsdS)NZ_ServerLoopbackr r r r r!rRsrScSsdS)NZ_ClientLoopbackr r r r r!rRtrScsjjjddS)Nr)rmrr@r4rxrr r!ryysz*LoopbackTests.test_loopback..check)rrdr$rBr>rr"r@rMrZ sendKexInitrDZ passwordDelayrQr rrcrUr[ZareDonerErZ loopbackAsyncZ logPrefixr=rr)r+ZclientrbrErsryr )rr+rr! test_loopbackSs6        zLoopbackTests.test_loopback)rrrrrrBrr r r r!r<src@s eZdZedkrdZddZdS)ModuleInitializationTestsNrcCs,|tjjdd|tjjdddS)N<r)rmrrdZprotocolMessagesr#r*r r r! test_messagess z'ModuleInitializationTests.test_messages)rrrrrrr r r r!rsr):rZ __future__rrZzope.interfacerZtwisted.cred.checkersrZtwisted.cred.credentialsrrrZtwisted.cred.errorr Ztwisted.cred.portalr r Ztwisted.conch.errorr r Ztwisted.internetrrZtwisted.protocolsrZtwisted.python.reflectrZ twisted.trialrZtwisted.python.compatrr{Ztwisted.conch.ssh.commonrZtwisted.conch.checkersrZtwisted.conch.sshrrrZtwisted.conch.testrr#r$r6r:r"r;rPrQrUr[r_ZTestCaser`rrrr r r r!sP          (G \kC