1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# This file is part of CherryPy <http://www.cherrypy.org/>
# -*- coding: utf-8 -*-
# vim:ts=4:sw=4:expandtab:fileencoding=utf-8
import cherrypy
from cherrypy.lib import auth_digest
from cherrypy._cpcompat import ntob
from cherrypy.test import helper
def _fetch_users():
return {'test': 'test', '☃йюзер': 'їпароль'}
get_ha1 = cherrypy.lib.auth_digest.get_ha1_dict_plain(_fetch_users())
class DigestAuthTest(helper.CPWebCase):
@staticmethod
def setup_server():
class Root:
@cherrypy.expose
def index(self):
return 'This is public.'
class DigestProtected:
@cherrypy.expose
def index(self, *args, **kwargs):
return "Hello %s, you've been authorized." % (
cherrypy.request.login)
conf = {'/digest': {'tools.auth_digest.on': True,
'tools.auth_digest.realm': 'localhost',
'tools.auth_digest.get_ha1': get_ha1,
'tools.auth_digest.key': 'a565c27146791cfb',
'tools.auth_digest.debug': True,
'tools.auth_digest.accept_charset': 'UTF-8'}}
root = Root()
root.digest = DigestProtected()
cherrypy.tree.mount(root, config=conf)
def testPublic(self):
self.getPage('/')
assert self.status == '200 OK'
self.assertHeader('Content-Type', 'text/html;charset=utf-8')
assert self.body == b'This is public.'
def _test_parametric_digest(self, username, realm):
test_uri = '/digest/?@/=%2F%40&%f0%9f%99%88=path'
self.getPage(test_uri)
assert self.status_code == 401
msg = 'Digest authentification scheme was not found'
www_auth_digest = tuple(filter(
lambda kv: kv[0].lower() == 'www-authenticate'
and kv[1].startswith('Digest '),
self.headers,
))
assert len(www_auth_digest) == 1, msg
items = www_auth_digest[0][-1][7:].split(', ')
tokens = {}
for item in items:
key, value = item.split('=')
tokens[key.lower()] = value
assert tokens['realm'] == '"localhost"'
assert tokens['algorithm'] == '"MD5"'
assert tokens['qop'] == '"auth"'
assert tokens['charset'] == '"UTF-8"'
nonce = tokens['nonce'].strip('"')
# Test user agent response with a wrong value for 'realm'
base_auth = ('Digest username="%s", '
'realm="%s", '
'nonce="%s", '
'uri="%s", '
'algorithm=MD5, '
'response="%s", '
'qop=auth, '
'nc=%s, '
'cnonce="1522e61005789929"')
encoded_user = username
encoded_user = encoded_user.encode('utf-8')
encoded_user = encoded_user.decode('latin1')
auth_header = base_auth % (
encoded_user, realm, nonce, test_uri,
'11111111111111111111111111111111', '00000001',
)
auth = auth_digest.HttpDigestAuthorization(auth_header, 'GET')
# calculate the response digest
ha1 = get_ha1(auth.realm, auth.username)
response = auth.request_digest(ha1)
auth_header = base_auth % (
encoded_user, realm, nonce, test_uri,
response, '00000001',
)
self.getPage(test_uri, [('Authorization', auth_header)])
def test_wrong_realm(self):
# send response with correct response digest, but wrong realm
self._test_parametric_digest(username='test', realm='wrong realm')
assert self.status_code == 401
def test_ascii_user(self):
self._test_parametric_digest(username='test', realm='localhost')
assert self.status == '200 OK'
assert self.body == b"Hello test, you've been authorized."
def test_unicode_user(self):
self._test_parametric_digest(username='☃йюзер', realm='localhost')
assert self.status == '200 OK'
assert self.body == ntob(
"Hello ☃йюзер, you've been authorized.", 'utf-8',
)
def test_wrong_scheme(self):
basic_auth = {
'Authorization': 'Basic foo:bar',
}
self.getPage('/digest/', headers=list(basic_auth.items()))
assert self.status_code == 401
|
