U  W[@^ã@s¶dZddlmZmZddlZddlmZddlmZddl m Z ddl m Z ddl mZdd lmZdd lmZmZdd lmZdd lmZmZdd lmZddlmZddlmZmZmZddl m!Z!m"Z"ddl#m$Z$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+ddl,m-Z-ddl.m/Z/ddl0m1Z1dd„Z2Gdd„dƒZ3Gdd„dƒZ4Gdd„de4e3e j5ƒZ6Gd d!„d!e4e j5ƒZ7Gd"d#„d#e4e j5ƒZ8eej9ƒGd$d%„d%e:ƒZ;Gd&d'„d'e j5ƒZr$r$r%Útest_invalidEncodinggsþz(BasicAuthTestsMixin.test_invalidEncodingcCs&tdƒ}| tj|jj|| ¡¡dS)z• L{basic.BasicCredentialFactory.decode} raises L{LoginFailed} when passed a response which is not valid base64-encoded text. s123abc+/N)r!rCr rDr,r;r'rEr$r$r%Útest_invalidCredentialsrsýz+BasicAuthTestsMixin.test_invalidCredentials)r0N) Ú__name__Ú __module__Ú __qualname__Ú__doc__r/r'r7r?rArFrGr$r$r$r%r&,s   r&c@seZdZddd„ZdS)Ú RequestMixinr0NcCs,|dkrtdddƒ}tdƒ}||_||_|S)zo Create a L{DummyRequest} (change me to create a L{twisted.web.http.Request} instead). NÚTCPZ localhostiÒó/)r rr3Úclient)r.r3r4r(r$r$r%r's  zRequestMixin.makeRequest)r0N)rHrIrJr'r$r$r$r%rL~srLc@seZdZdZdS)ÚBasicAuthTestszK Basic authentication tests which use L{twisted.web.http.Request}. N)rHrIrJrKr$r$r$r%rPsrPc@s8eZdZdZdd„Zdd„Zdd„Zdd „Zd d „Zd S) ÚDigestAuthTestszL Digest authentication tests which use L{twisted.web.http.Request}. cCs,d|_d|_t |j|j¡|_| ¡|_dS)z> Create a DigestCredentialFactory for testing ó test realmómd5N)r)Ú algorithmrÚDigestCredentialFactoryr,r'r(r-r$r$r%r/™sÿzDigestAuthTests.setUpcsnd‰d‰dg‰tƒ‰‡‡‡‡‡fdd„}ˆ ˆjjd|¡ˆ ˆtdˆdƒ¡}ˆj ˆ|¡ˆ ˆd ¡d S) zÅ L{digest.DigestCredentialFactory.decode} calls the C{decode} method on L{twisted.cred.digest.DigestCredentialFactory} with the HTTP method and host of the request. s 169.254.0.1r0Fcs0ˆ ˆ|¡ˆ ˆ|¡ˆ ˆ|¡dˆd<dS)NTr)Ú assertEqual)Z _responseÚ_methodZ_host©ZdoneZhostr3r>r.r$r%Úcheck®s   z*DigestAuthTests.test_decode..checkr;rMéQrN)ÚobjectZpatchr,rr'r r;r6)r.rYZreqr$rXr%Ú test_decode¤szDigestAuthTests.test_decodecCs| tt|jƒ¡dS)zN L{DigestCredentialFactory} implements L{ICredentialFactory}. Nr5r-r$r$r%r7ºs ÿzDigestAuthTests.test_interfacecCst|j |j¡}| |dd¡| |dd¡| |dd¡| d|¡| d|¡| ¡D]}| d |¡q^d S) ah The challenge issued by L{DigestCredentialFactory.getChallenge} must include C{'qop'}, C{'realm'}, C{'algorithm'}, C{'nonce'}, and C{'opaque'} keys. The values for the C{'realm'} and C{'algorithm'} keys must match the values supplied to the factory's initializer. None of the values may have newlines in them. Úqopóauthr)rRrTrSÚnonceÚopaqueó N)r,Ú getChallenger(rVÚassertInÚvaluesZ assertNotIn)r.Ú challengeÚvr$r$r%Útest_getChallengeÂs   z!DigestAuthTests.test_getChallengecCsd| dd¡}|j |¡}| |dd¡| |dd¡| |dd¡| d |¡| d |¡dS) z  L{DigestCredentialFactory.getChallenge} can issue a challenge even if the L{Request} it is passed returns L{None} from C{getClientIP}. r0Nr]r^r)rRrTrSr_r`)r'r,rbrVrc)r.r(rer$r$r%Ú test_getChallengeWithoutClientIPÔs   z0DigestAuthTests.test_getChallengeWithoutClientIPN) rHrIrJrKr/r\r7rgrhr$r$r$r%rQ”s  rQc@s@eZdZdZdd„Zdd„Zdd„Zdd „Zd d „Zd d „Z dS)ÚUnauthorizedResourceTestsz, Tests for L{UnauthorizedResource}. cCs4tgƒ}| | dd¡|¡| | dd¡|¡dS)zF An L{UnauthorizedResource} is every child of itself. ZfooNZbar)rZassertIdenticalZgetChildWithDefault)r.Úresourcer$r$r%Útest_getChildWithDefaultçs ÿ ÿz2UnauthorizedResourceTests.test_getChildWithDefaultcCs@ttdƒgƒ}| |¡| |jd¡| |j d¡dg¡dS)zç Render L{UnauthorizedResource} for the given request object and verify that the response code is I{Unauthorized} and that a I{WWW-Authenticate} header is set in the response containing a challenge. ú example.comé‘ówww-authenticatesbasic realm="example.com"N)rrÚrenderrVÚ responseCodeÚresponseHeadersÚ getRawHeaders)r.r(rjr$r$r%Ú_unauthorizedRenderTestòsÿ  þz1UnauthorizedResourceTests._unauthorizedRenderTestcCs*| ¡}| |¡| dd |j¡¡dS)zº L{UnauthorizedResource} renders with a 401 response code and a I{WWW-Authenticate} header and puts a simple unauthorized message into the response body. s Unauthorizedr8N©r'rsrVr:Úwritten©r.r(r$r$r%Ú test_renders z%UnauthorizedResourceTests.test_rendercCs.|jdd}| |¡| dd |j¡¡dS)z´ The rendering behavior of L{UnauthorizedResource} for a I{HEAD} request is like its handling of a I{GET} request, but no response body is written. sHEAD)r3r8Nrtrvr$r$r%Útest_renderHEAD s  z)UnauthorizedResourceTests.test_renderHEADcCs:ttdƒgƒ}| ¡}| |¡| |j d¡dg¡dS)z¾ The realm value included in the I{WWW-Authenticate} header set in the response when L{UnauthorizedResounrce} is rendered has quotes and backslashes escaped. z example\"foornsbasic realm="example\\\"foo"N)rrr'rorVrqrr)r.rjr(r$r$r%Útest_renderQuotesRealmsÿ  þz0UnauthorizedResourceTests.test_renderQuotesRealmcCsPtt dd¡gƒ}| ¡}| |¡|j d¡d}| d|¡| d|¡dS)z¾ The digest value included in the I{WWW-Authenticate} header set in the response when L{UnauthorizedResource} is rendered has quotes and backslashes escaped. rSs example\"foornrsrealm="example\\\"foo"shm="md5N)rrrUr'rorqrrrc)r.rjr(Z authHeaderr$r$r%Útest_renderQuotesDigest&s ÿ ÿþ z1UnauthorizedResourceTests.test_renderQuotesDigestN) rHrIrJrKrkrsrwrxryrzr$r$r$r%riãs   ric@s(eZdZdZdd„Zdd„Zdd„ZdS) ÚRealmaJ A simple L{IRealm} implementation which gives out L{WebAvatar} for any avatarId. @type loggedIn: C{int} @ivar loggedIn: The number of times C{requestAvatar} has been invoked for L{IResource}. @type loggedOut: C{int} @ivar loggedOut: The number of times the logout callback has been invoked. cCsd|_d|_||_dS)Nr)Ú loggedOutÚloggedInÚ avatarFactory)r.r~r$r$r%Ú__init__FszRealm.__init__cGs2t|kr(|jd7_t| |¡|jfStƒ‚dS©Né)rr}r~Úlogoutr1)r.ZavatarIdZmindZ interfacesr$r$r%Ú requestAvatarLszRealm.requestAvatarcCs|jd7_dSr€)r|r-r$r$r%r‚Ssz Realm.logoutN)rHrIrJrKrrƒr‚r$r$r$r%r{9s r{c@s¤eZdZdZeZdd„Zdd„Zdd„Zdd „Z d d „Z d d „Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Zd d!„Zd"d#„Zd$d%„Zd&S)'ÚHTTPAuthHeaderTestsz. Tests for L{HTTPAuthSessionWrapper}. cCs¨d|_d|_d|_d|_d|_tƒ|_|j |j|j¡t|jdƒ|_ |j   |jt|jdƒ¡|j|j i|_ t |j j ƒ|_t |j|jg¡|_g|_t|j|jƒ|_dS)z\ Create a realm, portal, and L{HTTPAuthSessionWrapper} to use in the tests. sfoo barsbar bazs&contents of the avatar resource itselfs foo-childs'contents of the foo child of the avatarú text/plainN)r*r+Ú avatarContentÚ childNameÚ childContentr ZcheckerZaddUserrÚavatarÚputChildÚavatarsr{Úgetr)r ZPortalÚcredentialFactoriesrÚwrapperr-r$r$r%r/^s( ÿÿzHTTPAuthHeaderTests.setUpcCs2t|jd|jƒ}|j dd|¡t|j|ƒS)z¹ Add an I{basic authorization} header to the given request and then dispatch it, starting from C{self.wrapper} and returning the resulting L{IResource}. r9ó authorizationóBasic )r!r*r+ÚrequestHeadersÚ addRawHeaderrrŽ)r.r(Z authorizationr$r$r%Ú_authorizedBasicLogints ÿz)HTTPAuthHeaderTests._authorizedBasicLogincsHˆ ˆjg¡‰tˆjˆƒ}ˆ ¡}‡‡fdd„}| |¡ˆ |¡|S)z× Resource traversal which encounters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} instance when the request does not have the required I{Authorization} headers. csˆ ˆjd¡dS©Nrm©rVrp©Úresult©r(r.r$r%Ú cbFinished‰sz@HTTPAuthHeaderTests.test_getChildWithDefault..cbFinished)r'r‡rrŽÚ notifyFinishÚ addCallbackro©r.ÚchildÚdr™r$r˜r%rk€s   z,HTTPAuthHeaderTests.test_getChildWithDefaultcsfˆj tdƒ¡ˆ ˆjg¡‰ˆj d|¡tˆjˆƒ}ˆ  ¡}‡‡fdd„}|  |¡ˆ  |¡|S)a( Create a request with the given value as the value of an I{Authorization} header and perform resource traversal with it, starting at C{self.wrapper}. Assert that the result is a 401 response code. Return a L{Deferred} which fires when this is all done. rlrcsˆ ˆjd¡dSr”r•r–r˜r$r%r™œszAHTTPAuthHeaderTests._invalidAuthorizationTest..cbFinished) rÚappendrr'r‡r‘r’rrŽršr›ro)r.r>rržr™r$r˜r%Ú_invalidAuthorizationTests   z-HTTPAuthHeaderTests._invalidAuthorizationTestcCs| dtdƒ¡S)zÚ Resource traversal which enouncters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} when the request has an I{Authorization} header with a user which does not exist. rsfoo:bar)r r!r-r$r$r%Ú(test_getChildWithDefaultUnauthorizedUser£s ÿzHTTPAuthHeaderTests.test_getChildWithDefaultUnrecognizedSchemecsVˆj tdƒ¡ˆ ˆjg¡‰ˆ ˆ¡}ˆ ¡}‡‡fdd„}| |¡ˆ |¡|S)zû Resource traversal which encounters an L{HTTPAuthSessionWrapper} results in an L{IResource} which renders the L{IResource} avatar retrieved from the portal when the request has a valid I{Authorization} header. rlcsˆ ˆjˆjg¡dSr)rVrurˆ©Zignoredr˜r$r%r™ÌszJHTTPAuthHeaderTests.test_getChildWithDefaultAuthorized..cbFinished) rrŸrr'r‡r“ršr›rorœr$r˜r%Ú"test_getChildWithDefaultAuthorizedÁs   z6HTTPAuthHeaderTests.test_getChildWithDefaultAuthorizedcsRˆj tdƒ¡ˆ g¡‰ˆ ˆ¡}ˆ ¡}‡‡fdd„}| |¡ˆ |¡|S)a Resource traversal which terminates at an L{HTTPAuthSessionWrapper} and includes correct authentication headers results in the L{IResource} avatar (not one of its children) retrieved from the portal being rendered. rlcsˆ ˆjˆjg¡dSr)rVrur†r¤r˜r$r%r™ßsz=HTTPAuthHeaderTests.test_renderAuthorized..cbFinished)rrŸrr'r“ršr›rorœr$r˜r%Útest_renderAuthorizedÓs    z)HTTPAuthHeaderTests.test_renderAuthorizedcstttƒGdd„dtƒƒ}|ƒ‰ˆj ˆ¡ˆ ˆjg¡‰tˆjˆƒ}ˆ  ¡}‡‡‡fdd„}|  |¡ˆ  |¡|S)zº When L{HTTPAuthSessionWrapper} finds an L{ICredentialFactory} to issue a challenge, it calls the C{getChallenge} method with the request as an argument. c@s eZdZdZdd„Zdd„ZdS)zUHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactorysdumbcSs g|_dSr)Úrequestsr-r$r$r%rðsz^HTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactory.__init__cSs|j |¡iSr)r§rŸrvr$r$r%rbós zbHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactory.getChallengeN)rHrIrJÚschemerrbr$r$r$r%ÚDumbCredentialFactoryìsr©csˆ ˆjˆg¡dSr)rVr§r¤©Úfactoryr(r.r$r%r™üszJHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..cbFinished) rrr[rrŸr'r‡rrŽršr›ro)r.r©rržr™r$rªr%Ú"test_getChallengeCalledWithRequestæs     z6HTTPAuthHeaderTests.test_getChallengeCalledWithRequestcCsh|j tdƒ¡Gdd„dtƒ}|j |j|ƒ¡| |jg¡}| |¡}|  |¡|  |j j d¡|S)a Issue a request for an authentication-protected resource using valid credentials and then return the C{DummyRequest} instance which was used. This is a helper for tests about the behavior of the logout callback. rlc@seZdZdd„ZdS)z7HTTPAuthHeaderTests._logoutTest..SlowerResourcecSstSrrrvr$r$r%rosz>HTTPAuthHeaderTests._logoutTest..SlowerResource.renderN)rHrIrJror$r$r$r%ÚSlowerResourcesr­r) rrŸrrr‰rŠr‡r'r“rorVr)r|)r.r­r(rr$r$r%Ú _logoutTests   zHTTPAuthHeaderTests._logoutTestcCs$| ¡}| ¡| |jjd¡dS)zX The realm's logout callback is invoked after the resource is rendered. rN)r®ZfinishrVr)r|rvr$r$r%Ú test_logoutszHTTPAuthHeaderTests.test_logoutcCs.| ¡}| ttdƒƒ¡| |jjd¡dS)zª The realm's logout callback is also invoked if there is an error generating the response (for example, if the client disconnects early). zSimulated disconnectrN)r®ZprocessingFailedrrrVr)r|rvr$r$r%Útest_logoutOnError#s  ÿz&HTTPAuthHeaderTests.test_logoutOnErrorcCsH|j tdƒ¡| |jg¡}|j dd¡t|j|ƒ}|  |t ¡dS)zã Resource traversal which enouncters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} when the request has a I{Basic Authorization} header which cannot be decoded using base64. rlrsBasic decode should failN) rrŸrr'r‡r‘r’rrŽÚassertIsInstancer)r.r(rr$r$r%Útest_decodeRaises/s  z%HTTPAuthHeaderTests.test_decodeRaisescCsHd}| |j |¡d¡tdƒ}|j |¡| |j |¡|df¡dS)zì L{HTTPAuthSessionWrapper._selectParseHeader} returns a two-tuple giving the L{ICredentialFactory} to use to parse the header and a string containing the portion of the header which remains to be parsed. sBasic abcdef123456)NNrls abcdef123456N)rVrŽZ_selectParseHeaderrrrŸ)r.ZbasicAuthorizationr«r$r$r%Útest_selectParseResponse<s þ  þz,HTTPAuthHeaderTests.test_selectParseResponsecs¾t |t¡}Gdd„dtƒ‰G‡fdd„dtƒ}|j |ƒ¡| |jg¡}|j   dd¡t |j |ƒ}|  |¡| |jd¡| dt|ƒ¡| |d d jˆ¡| t| ˆ¡ƒd¡d S) z´ Any unexpected exception raised by the credential factory's C{decode} method results in a 500 response code and causes the exception to be logged. c@s eZdZdS)zKHTTPAuthHeaderTests.test_unexpectedDecodeError..UnexpectedExceptionN©rHrIrJr$r$r$r%ÚUnexpectedExceptionWsrµcs$eZdZdZdd„Z‡fdd„ZdS)zBHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactorysbadcSsiSrr$)r.rOr$r$r%rb]szOHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactory.getChallengecs ˆƒ‚dSrr$)r.r>r(©rµr$r%r;`szIHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactory.decodeN)rHrIrJr¨rbr;r$r¶r$r%Ú BadFactoryZsr·rsBad abcéôrrÚ log_failureN)rÚcreateWithCleanuprÚ Exceptionr[rrŸr'r‡r‘r’rrŽrorVrpÚ assertEqualsÚlenr±ÚvalueÚflushLoggedErrors)r.Ú logObserverr·r(rr$r¶r%Útest_unexpectedDecodeErrorMs$þ    þz.HTTPAuthHeaderTests.test_unexpectedDecodeErrorcs¾t |t¡}Gdd„dtƒ‰G‡fdd„dtƒ}|j |ƒ¡|j t dƒ¡|  |j g¡}|  |¡}|  |¡| |jd¡| dt|ƒ¡| |dd jˆ¡| t| ˆ¡ƒd¡d S) z‰ Any unexpected failure from L{Portal.login} results in a 500 response code and causes the failure to be logged. c@s eZdZdS)zJHTTPAuthHeaderTests.test_unexpectedLoginError..UnexpectedExceptionNr´r$r$r$r%rµzsrµcseZdZefZ‡fdd„ZdS)zDHTTPAuthHeaderTests.test_unexpectedLoginError..BrokenCheckercs ˆƒ‚dSrr$)r.Z credentialsr¶r$r%ÚrequestAvatarId€szTHTTPAuthHeaderTests.test_unexpectedLoginError..BrokenChecker.requestAvatarIdN)rHrIrJrZcredentialInterfacesrÂr$r¶r$r%Ú BrokenChecker}srÃrlr¸rrr¹N)rrºrr»r[r ÚregisterCheckerrrŸrr'r‡r“rorVrpr¼r½r±r¾r¿)r.rÀrÃr(rr$r¶r%Útest_unexpectedLoginErrorqs$þ   þz-HTTPAuthHeaderTests.test_unexpectedLoginErrorcs’d‰tƒˆjt<ˆjt ˆjtˆdƒ¡ˆj tƒ¡ˆj   t dƒ¡ˆ  ˆjg¡‰t ˆjˆƒ}ˆ ¡}‡‡‡fdd„}| |¡ˆ |¡|S)zl Anonymous requests are allowed if a L{Portal} has an anonymous checker registered. s*contents of the unprotected child resourcer…rlcsˆ ˆjˆg¡dSr)rVrur¤©r(r.ZunprotectedContentsr$r%r™¡sz.cbFinished)rr‹r rŠr‡rr rÄrrrŸrr'rrŽršr›rorœr$rÆr%Útest_anonymousAccess‘s  ÿ   z(HTTPAuthHeaderTests.test_anonymousAccessN)rHrIrJrKrr'r/r“rkr r¡r¢r£r¥r¦r¬r®r¯r°r²r³rÁrÅrÇr$r$r$r%r„Xs(       $ r„)=rKZ __future__rrr Zzope.interfacerZzope.interface.verifyrZ twisted.trialrZtwisted.python.failurerZtwisted.internet.errorrZtwisted.internet.addressr Z twisted.credr r Ztwisted.cred.checkersr r rZtwisted.cred.credentialsrZtwisted.web.iwebrZtwisted.web.resourcerrrZtwisted.web._authrrZtwisted.web._auth.wrapperrrZtwisted.web._auth.basicrZtwisted.web.serverrZtwisted.web.staticrZtwisted.web.test.test_webrZtwisted.test.proto_helpersrZtwisted.loggerrr!r&rLZTestCaserPrQriZIRealmr[r{r„r$r$r$r%Ús>               ROU