U  W[!_@sdZddlmZmZddlZddlmZddlmZm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZmZmZdd lmZmZdd lmZd dZGdddeZGddde ZdS)z[ Tests for L{twisted.cred._digest} and the associated bits in L{twisted.cred.credentials}. )divisionabsolute_importN)hexlify)md5sha1) verifyObject)TestCase) IPv4Address) LoginFailed)calcHA1calcHA2IUsernameDigestHash) calcResponseDigestCredentialFactory) networkStringcCst|S)N)base64 b64encodestrip)srC/usr/lib/python3/dist-packages/twisted/cred/test/test_digestauth.pyrsrcs0eZdZdZfddZddZddZZS)FakeDigestCredentialFactoryz\ A Fake Digest Credential Factory that generates a predictable nonce and opaque cstt|j||d|_dS)N0)superr__init__ privateKey)selfargskwargs __class__rrr"sz$FakeDigestCredentialFactory.__init__cCsdS)z) Generate a static nonce s178288758716122392881254770685rrrrr_generateNonce'sz*FakeDigestCredentialFactory._generateNoncecCsdS)z& Return a stable time rrr!rrr_getTime.sz$FakeDigestCredentialFactory._getTime)__name__ __module__ __qualname____doc__rr"r# __classcell__rrrrrs rc@sZeZdZdZddZdefddZddZd d Zdefd d Z defd dZ ddZ ddZ ddZ ddZdefddZddZddZdefddZdd Zd!d"ZdOd$d%Zd&d'ZdPd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Z dd?Z"d@dAZ#dBdCZ$dDdEZ%dFdGZ&dHdIZ'dJdKZ(dLdMZ)dNS)QDigestAuthTestsz L{TestCase} mixin class which defines a number of tests for L{DigestCredentialFactory}. Because this mixin defines C{setUp}, it must be inherited before L{TestCase}. cCsRd|_d|_d|_d|_d|_d|_d|_tdd d |_d |_ t |j|j|_ d S) z> Create a DigestCredentialFactory for testing foobarsbazquuxs test realmmd5s 29fc54aa1641c6fa0e151419361c8f23auths/write/ZTCPz10.2.3.4iuGETN) usernamepasswordrealm algorithmcnonceqopurir clientAddressmethodrcredentialFactoryr!rrrsetUp<szDigestAuthTests.setUpr+cCsTd}t||j|j|j||j}d|j|j|jf}t||}|||dS)z L{calcHA1} accepts the C{'md5'} algorithm and returns an MD5 hash of its parameters, excluding the nonce and cnonce. s abc123xyz:N) r r.r0r/r2joinrdigest assertEqual)r _algorithm_hashnoncehashA1a1expectedrrrtest_MD5HashA1MszDigestAuthTests.test_MD5HashA1cCs~d}td|j|j|j||j}|jd|jd|j}tt|}|d|d|j}tt|}|||dS)z L{calcHA1} accepts the C{'md5-sess'} algorithm and returns an MD5 hash of its parameters, including the nonce and cnonce. s xyz321abcmd5-sessr9N) r r.r0r/r2rrr;r<)rr?r@rAha1rBrrrtest_MD5SessionHashA1Zsz%DigestAuthTests.test_MD5SessionHashA1cCs|dtdS)z L{calcHA1} accepts the C{'sha'} algorithm and returns a SHA hash of its parameters, excluding the nonce and cnonce. shaN)rCrr!rrrtest_SHAHashA1iszDigestAuthTests.test_SHAHashA1cCsDd}t|||jdd}|d|j}t||}|||dS)z L{calcHA2} accepts the C{'md5'} algorithm and returns an MD5 hash of its arguments, excluding the entity hash for QOP other than C{'auth-int'}. r-r,Nr9r r4rr;r<)rr=r>r6hashA2a2rBrrrtest_MD5HashA2Authqs z"DigestAuthTests.test_MD5HashA2AuthcCsPd}d}t|||jd|}|d|jd|}t||}|||dS)z L{calcHA2} accepts the C{'md5'} algorithm and returns an MD5 hash of its arguments, including the entity hash for QOP of C{'auth-int'}. r-s foobarbazsauth-intr9NrI)rr=r>r6ZhentityrJrKrBrrrtest_MD5HashA2AuthInt~s z%DigestAuthTests.test_MD5HashA2AuthIntcCs|ddS)z L{calcHA2} accepts the C{'md5-sess'} algorithm and QOP of C{'auth'} and returns the same value as it does for the C{'md5'} algorithm. rDN)rLr!rrrtest_MD5SessHashA2Authsz&DigestAuthTests.test_MD5SessHashA2AuthcCs|ddS)z L{calcHA2} accepts the C{'md5-sess'} algorithm and QOP of C{'auth-int'} and returns the same value as it does for the C{'md5'} algorithm. rDN)rMr!rrrtest_MD5SessHashA2AuthIntsz)DigestAuthTests.test_MD5SessHashA2AuthIntcCs|dtdS)z L{calcHA2} accepts the C{'sha'} algorithm and returns a SHA hash of its arguments, excluding the entity hash for QOP other than C{'auth-int'}. rGN)rLrr!rrrtest_SHAHashA2Authsz"DigestAuthTests.test_SHAHashA2AuthcCs|dtdS)z L{calcHA2} accepts the C{'sha'} algorithm and returns a SHA hash of its arguments, including the entity hash for QOP of C{'auth-int'}. rGN)rMrr!rrrtest_SHAHashA2AuthIntsz%DigestAuthTests.test_SHAHashA2AuthIntc CsTd}d}d}|d|d|}t||}t||||ddd}|||dS)z L{calcResponse} accepts the C{'md5'} algorithm and returns an MD5 hash of its parameters, excluding the nonce count, client nonce, and QoP value if the nonce count and client nonce are L{None} abc123789xyzlmnopqr9Nrr;rr<) rr=r>r@rJr?responserBr;rrrtest_MD5HashResponsesz$DigestAuthTests.test_MD5HashResponsecCs|ddS)z L{calcResponse} accepts the C{'md5-sess'} algorithm and returns an MD5 hash of its parameters, excluding the nonce count, client nonce, and QoP value if the nonce count and client nonce are L{None} rDN)rWr!rrrtest_MD5SessionHashResponsesz+DigestAuthTests.test_MD5SessionHashResponsecCs|dtdS)z L{calcResponse} accepts the C{'sha'} algorithm and returns a SHA hash of its parameters, excluding the nonce count, client nonce, and QoP value if the nonce count and client nonce are L{None} rGN)rWrr!rrrtest_SHAHashResponsesz$DigestAuthTests.test_SHAHashResponsec Csxd}d}d}d}d}d}|d|d|d|d|d|} t|| } t|||||||} || | dS) z L{calcResponse} accepts the C{'md5'} algorithm and returns an MD5 hash of its parameters, including the nonce count, client nonce, and QoP value if they are specified. rRrSrTs00000004s abcxyz123r,r9NrU) rr=r>r@rJr?Z nonceCountZ clientNoncer3rVrBr;rrrtest_MD5HashResponseExtras8z)DigestAuthTests.test_MD5HashResponseExtracCs|ddS)z L{calcResponse} accepts the C{'md5-sess'} algorithm and returns an MD5 hash of its parameters, including the nonce count, client nonce, and QoP value if they are specified. rDN)rZr!rrr test_MD5SessionHashResponseExtrasz0DigestAuthTests.test_MD5SessionHashResponseExtracCs|dtdS)z L{calcResponse} accepts the C{'sha'} algorithm and returns a SHA hash of its parameters, including the nonce count, client nonce, and QoP value if they are specified. rGN)rZrr!rrrtest_SHAHashResponseExtrasz)DigestAuthTests.test_SHAHashResponseExtraTc sd|kr|j|d<d|kr$|j|d<d|kr6|j|d<d|krH|j|d<d|krZ|j|d<d|krl|j|d<|rvdndd fd d |DS) a Format all given keyword arguments and their values suitably for use as the value of an HTTP header. @types quotes: C{bool} @param quotes: A flag indicating whether to quote the values of each field in the response. @param **kw: Keywords and C{bytes} values which will be treated as field name/value pairs to include in the result. @rtype: C{bytes} @return: The given fields formatted for use as an HTTP header value. r.r0r1r3r2r4"s, c s0g|](\}}|dk rdt|d|fqS)Nr^=)r:r).0kvZquoterr sz2DigestAuthTests.formatResponse..)r.r0r1r3r2r4r:items)rquoteskwrrcrformatResponses$      zDigestAuthTests.formatResponsec Csh|d}|d}|d}t||j|j|j||j}t|d|j|d}t ||||||j|}|S)z@ Calculate the response for the given challenge r?r1r3r-N) getlowerr r.r0r/r2r r4r) r challengeZncountr?Zalgor3rEZha2rBrrrgetDigestResponses,  z!DigestAuthTests.getDigestResponsecCsz|j|jj}d}|j||d|||||dd}|j||j|jj}|| |j | | |j ddS)z L{DigestCredentialFactory.decode} accepts a digest challenge response and parses it into an L{IUsernameHashedPassword} provider. 00000001r?opaque)rfr?rVncrnwrongN r7 getChallenger5hostrhrldecoder6 assertTrue checkPasswordr/ assertFalse)rrfrkroclientResponsecredsrrr test_response/s$ zDigestAuthTests.test_responsecCs|ddS)a L{DigestCredentialFactory.decode} accepts a digest challenge response which does not quote the values of its fields and parses it into an L{IUsernameHashedPassword} provider in the same way it would a response which included quoted field values. FN)rzr!rrrtest_responseWithoutQuotesDsz*DigestAuthTests.test_responseWithoutQuotescCsd|_|ddS)z L{DigestCredentialFactory.decode} accepts a digest challenge response which quotes the values of its fields and includes a C{b","} in the URI field. s /some,path/TN)r4rzr!rrrtest_responseWithCommaURINsz)DigestAuthTests.test_responseWithCommaURIcCsd|_|dS)zs The case of the algorithm value in the response is ignored when checking the credentials. sMD5Nr1rzr!rrrtest_caseInsensitiveAlgorithmXsz-DigestAuthTests.test_caseInsensitiveAlgorithmcCsd|_|dS)zV The algorithm defaults to MD5 if it is not supplied in the response. Nr}r!rrrtest_md5DefaultAlgorithmasz(DigestAuthTests.test_md5DefaultAlgorithmcCsp|jd}d}|j|d|||||dd}|j||jd}|||j| ||jddS)z L{DigestCredentialFactory.decode} accepts a digest challenge response even if the client address it is passed is L{None}. Nrmr?rnr?rVrornrp) r7rrrhrlrtr6rurvr/rwrrkrorxryrrrtest_responseWithoutClientIPis   z,DigestAuthTests.test_responseWithoutClientIPcCs|j|jj}d}|j|d|||||dd}|j||j|jj}|| |j | | |j dd}|j|d|||||dd}|j||j|jj}|| |j | | |j ddS)zm L{DigestCredentialFactory.decode} handles multiple responses to a single challenge. rmr?rnrrps00000002Nrqrrrrtest_multiResponse|s6    z"DigestAuthTests.test_multiResponsecCsv|j|jj}d}|j|d|||||dd}|j|d|jj}|||j |||j ddS)a& L{DigestCredentialFactory.decode} returns an L{IUsernameHashedPassword} provider which rejects a correct password for the given user if the challenge response request is made using a different HTTP method than was used to request the initial challenge. rmr?rnrsPOSTrpN) r7rrr5rsrhrlrtrwrvr/rrrrtest_failsWithDifferentMethods  z-DigestAuthTests.test_failsWithDifferentMethodcCsl|t|jj|jdd|j|jj}|t |d|t|jj|jdd|j|jj}|t |ddS)z L{DigestCredentialFactory.decode} raises L{LoginFailed} if the response has no username field or if the username field is empty. N)r.z$Invalid response, no username given.r^ assertRaisesr r7rtrhr6r5rsr<strrerrrtest_noUsernames   zDigestAuthTests.test_noUsernamecCs8|t|jj|jdd|j|jj}|t |ddS)zo L{DigestCredentialFactory.decode} raises L{LoginFailed} if the response has no nonce. rR)rnz!Invalid response, no nonce given.Nrrrrr test_noNonces zDigestAuthTests.test_noNoncecCs4|t|jj||j|jj}|t |ddS)zp L{DigestCredentialFactory.decode} raises L{LoginFailed} if the response has no opaque. z"Invalid response, no opaque given.Nrrrrr test_noOpaqueszDigestAuthTests.test_noOpaquecCs|j|jj}d}|j|d|||||dd}|j||j|jj}|t t ||j d|j d|j }t|}||t||d||t|dS)z L{DigestCredentialFactory.decode} returns an L{IUsernameDigestHash} provider which can verify a hash of the form 'username:realm:password'. rmr?rnrr9rpN)r7rrr5rsrhrlrtr6rurr r.r0r/rZ checkHashrr;updaterw)rrkrorxryZ cleartexthashrrrtest_checkHashs&   zDigestAuthTests.test_checkHashcCst|j|j}||jj}|t|jd|d|jj}| t |ddt d}|t|j||d|jj}| t |d|t|jd|d|jj}| t |ddt d |dt |jjdf}|t|j||d|jj}| t |d d S) z L{DigestCredentialFactory.decode} raises L{LoginFailed} when the opaque value does not contain all the required parts. s badOpaquer?z&Invalid response, invalid opaque valuesfoo-snonce,clientipr^,r*z,Invalid response, invalid opaque/time valuesN)rr1r0rrr5rsrr _verifyOpaquer<rrr:r)rr7rkexcZ badOpaquerrrtest_invalidOpaques\   z"DigestAuthTests.test_invalidOpaquecCst|j|j}||jj}|d|jj}|t|j ||d|jj}| t |d|t|j |d|jj}| t |ddS)z L{DigestCredentialFactory.decode} raises L{LoginFailed} when the given nonce from the response does not match the nonce encoded in the opaque. s 1234567890r?z2Invalid response, incompatible opaque/nonce valuesr^N) rr1r0rrr5rs_generateOpaquerr rr<r)rr7rkbadNonceOpaquerrrrtest_incompatibleNonce.s<z&DigestAuthTests.test_incompatibleNoncecCs`t|j|j}||jj}d}||jj|||d|}|t |j ||d|jjdS)z L{DigestCredentialFactory.decode} raises L{LoginFailed} when the request comes from a client IP other than what is encoded in the opaque. z10.0.0.1r?N) rr1r0rrr5rsZassertNotEqualrrr r)rr7rkZ badAddressrrrrtest_incompatibleClientIPPs"z)DigestAuthTests.test_incompatibleClientIPcCst|j|j}||jj}d|dt|jjdf}tt ||j  }t |}d|| df}|t|j||d|jjdS)z L{DigestCredentialFactory.decode} raises L{LoginFailed} when the given opaque is older than C{DigestCredentialFactory.CHALLENGE_LIFETIME_SECS} rr?s -137876876- N)rr1r0rrr5rsr:rrrrr;rrrr r)rr7rkkeyr;ZekeyZoldNonceOpaquerrr test_oldNonceis$  zDigestAuthTests.test_oldNoncecCs~t|j|j}||jj}d|dt|jjdf}tt |d }d|t |f}| t |j||d|jjdS)z~ L{DigestCredentialFactory.decode} raises L{LoginFailed} when the opaque checksum fails verification. rr?rsthis is not the right pkeyrN)rr1r0rrr5rsr:rrrr;rrr r)rr7rkrr;Z badChecksumrrrtest_mismatchedOpaqueChecksums"  z-DigestAuthTests.test_mismatchedOpaqueChecksumc Cs6d}|D](\}}}}|jttd|||dd|d qdS)z L{calcHA1} raises L{TypeError} when any of the pszUsername, pszRealm, or pszPassword arguments are specified with the preHA1 keyword argument. ))suserrealmpasswordpreHA1)NrNr)NNrrr+snoncescnonce)preHA1N)r TypeErrorr )rZ argumentsZ pszUsernameZpszRealmZ pszPasswordrrrrtest_incompatibleCalcHA1Optionssz/DigestAuthTests.test_incompatibleCalcHA1OptionscCs|jdd}|d|dS)z L{DigestCredentialFactory._generateOpaque} returns a value without newlines, regardless of the length of the nonce. snlong nonce long nonce long nonce long nonce long nonce long nonce long nonce long nonce long nonce long nonce Nr)r7rZ assertNotIn)rrnrrrtest_noNewlineOpaques z$DigestAuthTests.test_noNewlineOpaqueN)T)T)*r$r%r&r'r8rrCrFrHrLrMrNrOrPrQrWrXrYrZr[r\rhrlrzr{r|r~rrrrrrrrrrrrrrrrrrrr)6sL        '    !  1"r))r'Z __future__rrrZbinasciirZhashlibrrZzope.interface.verifyrZtwisted.trial.unittestrZtwisted.internet.addressr Ztwisted.cred.errorr Ztwisted.cred.credentialsr r r rrZtwisted.python.compatrrrr)rrrrs