25 |
25 |
import os
|
26 |
26 |
import unittest
|
27 |
27 |
import time
|
|
28 |
import tempfile
|
28 |
29 |
|
29 |
30 |
from ganeti import http
|
30 |
31 |
|
... | ... | |
70 |
71 |
|
71 |
72 |
def testHttpServerRequest(self):
|
72 |
73 |
"""Test ganeti.http.server._HttpServerRequest"""
|
73 |
|
fake_request = http.HttpMessage()
|
74 |
|
fake_request.start_line = \
|
75 |
|
http.HttpClientToServerStartLine("GET", "/", "HTTP/1.1")
|
76 |
|
server_request = http.server._HttpServerRequest(fake_request)
|
|
74 |
server_request = http.server._HttpServerRequest("GET", "/", None, None)
|
77 |
75 |
|
78 |
76 |
# These are expected by users of the HTTP server
|
79 |
77 |
self.assert_(hasattr(server_request, "request_method"))
|
... | ... | |
95 |
93 |
self.assert_(message_reader_class.START_LINE_LENGTH_MAX > 0)
|
96 |
94 |
self.assert_(message_reader_class.HEADER_LENGTH_MAX > 0)
|
97 |
95 |
|
|
96 |
def testFormatAuthHeader(self):
|
|
97 |
self.assertEqual(http.auth._FormatAuthHeader("Basic", {}),
|
|
98 |
"Basic")
|
|
99 |
self.assertEqual(http.auth._FormatAuthHeader("Basic", { "foo": "bar", }),
|
|
100 |
"Basic foo=bar")
|
|
101 |
self.assertEqual(http.auth._FormatAuthHeader("Basic", { "foo": "", }),
|
|
102 |
"Basic foo=\"\"")
|
|
103 |
self.assertEqual(http.auth._FormatAuthHeader("Basic", { "foo": "x,y", }),
|
|
104 |
"Basic foo=\"x,y\"")
|
|
105 |
params = {
|
|
106 |
"foo": "x,y",
|
|
107 |
"realm": "secure",
|
|
108 |
}
|
|
109 |
# It's a dict whose order isn't guaranteed, hence checking a list
|
|
110 |
self.assert_(http.auth._FormatAuthHeader("Digest", params) in
|
|
111 |
("Digest foo=\"x,y\" realm=secure",
|
|
112 |
"Digest realm=secure foo=\"x,y\""))
|
|
113 |
|
98 |
114 |
|
99 |
115 |
class _FakeRequestAuth(http.auth.HttpServerRequestAuthentication):
|
100 |
|
def __init__(self, realm):
|
|
116 |
def __init__(self, realm, authreq, authenticate_fn):
|
101 |
117 |
http.auth.HttpServerRequestAuthentication.__init__(self)
|
102 |
118 |
|
103 |
119 |
self.realm = realm
|
|
120 |
self.authreq = authreq
|
|
121 |
self.authenticate_fn = authenticate_fn
|
|
122 |
|
|
123 |
def AuthenticationRequired(self, req):
|
|
124 |
return self.authreq
|
104 |
125 |
|
105 |
126 |
def GetAuthRealm(self, req):
|
106 |
127 |
return self.realm
|
107 |
128 |
|
|
129 |
def Authenticate(self, *args):
|
|
130 |
if self.authenticate_fn:
|
|
131 |
return self.authenticate_fn(*args)
|
|
132 |
raise NotImplementedError()
|
|
133 |
|
108 |
134 |
|
109 |
135 |
class TestAuth(unittest.TestCase):
|
110 |
136 |
"""Authentication tests"""
|
... | ... | |
112 |
138 |
hsra = http.auth.HttpServerRequestAuthentication
|
113 |
139 |
|
114 |
140 |
def testConstants(self):
|
115 |
|
self.assertEqual(self.hsra._CLEARTEXT_SCHEME,
|
116 |
|
self.hsra._CLEARTEXT_SCHEME.upper())
|
117 |
|
self.assertEqual(self.hsra._HA1_SCHEME,
|
118 |
|
self.hsra._HA1_SCHEME.upper())
|
|
141 |
for scheme in [self.hsra._CLEARTEXT_SCHEME, self.hsra._HA1_SCHEME]:
|
|
142 |
self.assertEqual(scheme, scheme.upper())
|
|
143 |
self.assert_(scheme.startswith("{"))
|
|
144 |
self.assert_(scheme.endswith("}"))
|
119 |
145 |
|
120 |
146 |
def _testVerifyBasicAuthPassword(self, realm, user, password, expected):
|
121 |
|
ra = _FakeRequestAuth(realm)
|
|
147 |
ra = _FakeRequestAuth(realm, False, None)
|
122 |
148 |
|
123 |
149 |
return ra.VerifyBasicAuthPassword(None, user, password, expected)
|
124 |
150 |
|
125 |
|
|
126 |
151 |
def testVerifyBasicAuthPassword(self):
|
127 |
152 |
tvbap = self._testVerifyBasicAuthPassword
|
128 |
153 |
|
... | ... | |
164 |
189 |
"{HA1}92ea58ae804481498c257b2f65561a17"))
|
165 |
190 |
|
166 |
191 |
|
|
192 |
class _SimpleAuthenticator:
|
|
193 |
def __init__(self, user, password):
|
|
194 |
self.user = user
|
|
195 |
self.password = password
|
|
196 |
self.called = False
|
|
197 |
|
|
198 |
def __call__(self, req, user, password):
|
|
199 |
self.called = True
|
|
200 |
return self.user == user and self.password == password
|
|
201 |
|
|
202 |
|
|
203 |
class TestHttpServerRequestAuthentication(unittest.TestCase):
|
|
204 |
def testNoAuth(self):
|
|
205 |
req = http.server._HttpServerRequest("GET", "/", None, None)
|
|
206 |
_FakeRequestAuth("area1", False, None).PreHandleRequest(req)
|
|
207 |
|
|
208 |
def testNoRealm(self):
|
|
209 |
headers = { http.HTTP_AUTHORIZATION: "", }
|
|
210 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
211 |
ra = _FakeRequestAuth(None, False, None)
|
|
212 |
self.assertRaises(AssertionError, ra.PreHandleRequest, req)
|
|
213 |
|
|
214 |
def testNoScheme(self):
|
|
215 |
headers = { http.HTTP_AUTHORIZATION: "", }
|
|
216 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
217 |
ra = _FakeRequestAuth("area1", False, None)
|
|
218 |
self.assertRaises(http.HttpUnauthorized, ra.PreHandleRequest, req)
|
|
219 |
|
|
220 |
def testUnknownScheme(self):
|
|
221 |
headers = { http.HTTP_AUTHORIZATION: "NewStyleAuth abc", }
|
|
222 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
223 |
ra = _FakeRequestAuth("area1", False, None)
|
|
224 |
self.assertRaises(http.HttpUnauthorized, ra.PreHandleRequest, req)
|
|
225 |
|
|
226 |
def testInvalidBase64(self):
|
|
227 |
headers = { http.HTTP_AUTHORIZATION: "Basic x_=_", }
|
|
228 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
229 |
ra = _FakeRequestAuth("area1", False, None)
|
|
230 |
self.assertRaises(http.HttpUnauthorized, ra.PreHandleRequest, req)
|
|
231 |
|
|
232 |
def testAuthForPublicResource(self):
|
|
233 |
headers = {
|
|
234 |
http.HTTP_AUTHORIZATION: "Basic %s" % ("foo".encode("base64").strip(), ),
|
|
235 |
}
|
|
236 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
237 |
ra = _FakeRequestAuth("area1", False, None)
|
|
238 |
self.assertRaises(http.HttpUnauthorized, ra.PreHandleRequest, req)
|
|
239 |
|
|
240 |
def testAuthForPublicResource(self):
|
|
241 |
headers = {
|
|
242 |
http.HTTP_AUTHORIZATION:
|
|
243 |
"Basic %s" % ("foo:bar".encode("base64").strip(), ),
|
|
244 |
}
|
|
245 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
246 |
ac = _SimpleAuthenticator("foo", "bar")
|
|
247 |
ra = _FakeRequestAuth("area1", False, ac)
|
|
248 |
ra.PreHandleRequest(req)
|
|
249 |
|
|
250 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
251 |
ac = _SimpleAuthenticator("something", "else")
|
|
252 |
ra = _FakeRequestAuth("area1", False, ac)
|
|
253 |
self.assertRaises(http.HttpUnauthorized, ra.PreHandleRequest, req)
|
|
254 |
|
|
255 |
def testInvalidRequestHeader(self):
|
|
256 |
checks = {
|
|
257 |
http.HttpUnauthorized: ["", "\t", "-", ".", "@", "<", ">", "Digest",
|
|
258 |
"basic %s" % "foobar".encode("base64").strip()],
|
|
259 |
http.HttpBadRequest: ["Basic"],
|
|
260 |
}
|
|
261 |
|
|
262 |
for exc, headers in checks.items():
|
|
263 |
for i in headers:
|
|
264 |
headers = { http.HTTP_AUTHORIZATION: i, }
|
|
265 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
266 |
ra = _FakeRequestAuth("area1", False, None)
|
|
267 |
self.assertRaises(exc, ra.PreHandleRequest, req)
|
|
268 |
|
|
269 |
def testBasicAuth(self):
|
|
270 |
for user in ["", "joe", "user name with spaces"]:
|
|
271 |
for pw in ["", "-", ":", "foobar", "Foo Bar Baz", "@@@", "###",
|
|
272 |
"foo:bar:baz"]:
|
|
273 |
for wrong_pw in [True, False]:
|
|
274 |
basic_auth = "%s:%s" % (user, pw)
|
|
275 |
if wrong_pw:
|
|
276 |
basic_auth += "WRONG"
|
|
277 |
headers = {
|
|
278 |
http.HTTP_AUTHORIZATION:
|
|
279 |
"Basic %s" % (basic_auth.encode("base64").strip(), ),
|
|
280 |
}
|
|
281 |
req = http.server._HttpServerRequest("GET", "/", headers, None)
|
|
282 |
|
|
283 |
ac = _SimpleAuthenticator(user, pw)
|
|
284 |
self.assertFalse(ac.called)
|
|
285 |
ra = _FakeRequestAuth("area1", True, ac)
|
|
286 |
if wrong_pw:
|
|
287 |
try:
|
|
288 |
ra.PreHandleRequest(req)
|
|
289 |
except http.HttpUnauthorized, err:
|
|
290 |
www_auth = err.headers[http.HTTP_WWW_AUTHENTICATE]
|
|
291 |
self.assert_(www_auth.startswith(http.auth.HTTP_BASIC_AUTH))
|
|
292 |
else:
|
|
293 |
self.fail("Didn't raise HttpUnauthorized")
|
|
294 |
else:
|
|
295 |
ra.PreHandleRequest(req)
|
|
296 |
self.assert_(ac.called)
|
|
297 |
|
|
298 |
|
|
299 |
class TestReadPasswordFile(testutils.GanetiTestCase):
|
|
300 |
def setUp(self):
|
|
301 |
testutils.GanetiTestCase.setUp(self)
|
|
302 |
|
|
303 |
self.tmpfile = tempfile.NamedTemporaryFile()
|
|
304 |
|
|
305 |
def testSimple(self):
|
|
306 |
self.tmpfile.write("user1 password")
|
|
307 |
self.tmpfile.flush()
|
|
308 |
|
|
309 |
users = http.auth.ReadPasswordFile(self.tmpfile.name)
|
|
310 |
self.assertEqual(len(users), 1)
|
|
311 |
self.assertEqual(users["user1"].password, "password")
|
|
312 |
self.assertEqual(len(users["user1"].options), 0)
|
|
313 |
|
|
314 |
def testOptions(self):
|
|
315 |
self.tmpfile.write("# Passwords\n")
|
|
316 |
self.tmpfile.write("user1 password\n")
|
|
317 |
self.tmpfile.write("\n")
|
|
318 |
self.tmpfile.write("# Comment\n")
|
|
319 |
self.tmpfile.write("user2 pw write,read\n")
|
|
320 |
self.tmpfile.write(" \t# Another comment\n")
|
|
321 |
self.tmpfile.write("invalidline\n")
|
|
322 |
self.tmpfile.flush()
|
|
323 |
|
|
324 |
users = http.auth.ReadPasswordFile(self.tmpfile.name)
|
|
325 |
self.assertEqual(len(users), 2)
|
|
326 |
self.assertEqual(users["user1"].password, "password")
|
|
327 |
self.assertEqual(len(users["user1"].options), 0)
|
|
328 |
|
|
329 |
self.assertEqual(users["user2"].password, "pw")
|
|
330 |
self.assertEqual(users["user2"].options, ["write", "read"])
|
|
331 |
|
|
332 |
|
167 |
333 |
if __name__ == '__main__':
|
168 |
334 |
testutils.GanetiTestProgram()
|