tf\&dZddlZddlmZddlmZddlmZmZddl m Z m Z m Z ddl mZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZmZddlmZddl m!Z!m"Z"ddl#m$Z$ddl%m&Z&m'Z'm(Z(ddl)m*Z*ddl+m,Z,ddl-m.Z.dZ/GddZ0GddZ1Gdde1e0ej2Z3Gdde1ej2Z4Gdd e1ej2Z5eej6Gd!d"Z7Gd#d$ej2Z8dS)%z! Tests for L{twisted.web._auth}. N) implementer) verifyObject)errorportal) ANONYMOUSAllowAnonymousAccess'InMemoryUsernamePasswordDatabaseDontUse)IUsernamePassword) IPv4Address)ConnectionDone)EventLoggingObserver)globalLogPublisher)Failure)unittest)basicdigest)BasicCredentialFactory)HTTPAuthSessionWrapperUnauthorizedResource)ICredentialFactory) IResourceResourcegetChildForRequest NOT_DONE_YET)Data) DummyRequestcNtj|SN)base64 b64encodestrip)ss ]/var/www/surfInsights/venv3-11/lib/python3.11/site-packages/twisted/web/test/test_httpauth.pyr!r!%s  A   $ $ & &&c>eZdZdZdZd dZdZdZdZd Z d Z dS) BasicAuthTestsMixinz L{TestCase} mixin class which defines a number of tests for L{basic.BasicCredentialFactory}. Because this mixin defines C{setUp}, it must be inherited before L{TestCase}. c||_d|_d|_d|_t j|j|_dS)NsfoosdreidsS3CuR1Ty) makeRequestrequestrealmusernamepasswordrrcredentialFactoryselfs r$setUpzBasicAuthTestsMixin.setUp0sE''))    # !&!=dj!I!Ir%GETNc0t|jd)z Create a request object to be passed to L{basic.BasicCredentialFactory.decode} along with a response value. Override this in a subclass. z did not implement makeRequest)NotImplementedError __class__)r0method clientAddresss r$r)zBasicAuthTestsMixin.makeRequest7s "T^"U"U"UVVVr%c`|tt|jdS)zM L{BasicCredentialFactory} implements L{ICredentialFactory}. N assertTruerrr.r/s r$test_interfacez"BasicAuthTestsMixin.test_interface?*  %79OPPQQQQQr%ctd|jd|jg}|j||j}|tj ||| |j| | |jdzdS)z L{basic.BasicCredentialFactory.decode} turns a base64-encoded response into a L{UsernamePassword} object with a password which reflects the one which was encoded in the response. r%:swrongN) r!joinr,r-r.decoder*r:r providedBy checkPassword assertFalser0responsecredss r$test_usernamePasswordz)BasicAuthTestsMixin.test_usernamePasswordEs SXXt}dDM&JKKLL&--h EE )4U;;<<< ++DM::;;; ,,T]X-EFFGGGGGr%cxtd|jd|jg}|d}|j||j}|tt||| |jdS)zz L{basic.BasicCredentialFactory.decode} decodes a base64-encoded response with incorrect padding. r%r>=N) r!r?r,r-r"r.r@r*r:rr rBrDs r$test_incorrectPaddingz)BasicAuthTestsMixin.test_incorrectPaddingRs SXXt}dDM&JKKLL>>$''&--h EE  %6>>??? ++DM::;;;;;r%cd}|tj|jj||dS)z L{basic.BasicCredentialFactory.decode} raises L{LoginFailed} if passed a response which is not base64-encoded. xN) assertRaisesr LoginFailedr.r@r)r0rEs r$test_invalidEncodingz(BasicAuthTestsMixin.test_invalidEncoding^sL      " )            r%ctd}|tj|jj||dS)z L{basic.BasicCredentialFactory.decode} raises L{LoginFailed} when passed a response which is not valid base64-encoded text. s123abc+/N)r!rMrrNr.r@r)rOs r$test_invalidCredentialsz+BasicAuthTestsMixin.test_invalidCredentialsksT [))     " )            r%r2N) __name__ __module__ __qualname____doc__r1r)r;rGrJrPrRr%r$r'r')s JJJWWWWRRR H H H < < <          r%r'ceZdZddZdS) RequestMixinr2Ncf|tddd}td}||_||_|S)zo Create a L{DummyRequest} (change me to create a L{twisted.web.http.Request} instead). NTCP localhosti/)r rr6client)r0r6r7r*s r$r)zRequestMixin.makeRequestzs;  '{DAAMt$$&r%rS)rTrUrVr)rXr%r$rZrZys(      r%rZceZdZdZdS)BasicAuthTestszK Basic authentication tests which use L{twisted.web.http.Request}. N)rTrUrVrWrXr%r$rarasr%rac0eZdZdZdZdZdZdZdZdS)DigestAuthTestszL Digest authentication tests which use L{twisted.web.http.Request}. cd|_d|_tj|j|j|_||_dS)z> Create a DigestCredentialFactory for testing test realmmd5N)r+ algorithmrDigestCredentialFactoryr.r)r*r/s r$r1zDigestAuthTests.setUpsI# !'!? NDJ" " '')) r%cDdddgtfd}jjd|t dd}j|dd S) z L{digest.DigestCredentialFactory.decode} calls the C{decode} method on L{twisted.cred.digest.DigestCredentialFactory} with the HTTP method and host of the request. s 169.254.0.1r2Fc|||dd<dS)NTr) assertEqual) _response_method_hostdonehostr6rEr0s r$checkz*DigestAuthTests.test_decode..checksR   Xy 1 1 1   VW - - -   T5 ) ) )DGGGr%r@r\QrN)objectpatchr.rr)r r@r:)r0rqreqrorpr6rEs` @@@@r$ test_decodezDigestAuthTests.test_decodes w88          4)0(EBBBv{5$'C'CDD %%h444 Q     r%c`|tt|jdS)zN L{DigestCredentialFactory} implements L{ICredentialFactory}. Nr9r/s r$r;zDigestAuthTests.test_interfacer<r%c|j|j}||dd||dd||dd|d||d||D]}|d |d S) ah The challenge issued by L{DigestCredentialFactory.getChallenge} must include C{'qop'}, C{'realm'}, C{'algorithm'}, C{'nonce'}, and C{'opaque'} keys. The values for the C{'realm'} and C{'algorithm'} keys must match the values supplied to the factory's initializer. None of the values may have newlines in them. qopauthr+rergrfnonceopaque N)r. getChallenger*rkassertInvalues assertNotIn)r0 challengevs r$test_getChallengez!DigestAuthTests.test_getChallenges*77 EE  5)7333 7+];;; ;/888 gy))) h ***!!## ' 'A   UA & & & & ' 'r%cf|dd}|j|}||dd||dd||dd|d ||d |dS) z L{DigestCredentialFactory.getChallenge} can issue a challenge even if the L{Request} it is passed returns L{None} from C{getClientIP}. r2Nryrzr+rergrfr{r|)r)r.r~rkr)r0r*rs r$ test_getChallengeWithoutClientIPz0DigestAuthTests.test_getChallengeWithoutClientIPs ""6400*77@@  5)7333 7+];;; ;/888 gy))) h *****r%N) rTrUrVrWr1rvr;rrrXr%r$rcrcsl * * *!!!,RRR '''" + + + + +r%rcc6eZdZdZdZdZdZdZdZdZ dS) UnauthorizedResourceTestsz, Tests for L{UnauthorizedResource}. ctg}||dd|||dd|dS)zF An L{UnauthorizedResource} is every child of itself. fooNbar)rassertIdenticalgetChildWithDefault)r0resources r$test_getChildWithDefaultz2UnauthorizedResourceTests.test_getChildWithDefaultsc(++ X99%FFQQQ X99%FFQQQQQr%cttdg}||||jd||jddgdS)z Render L{UnauthorizedResource} for the given request object and verify that the response code is I{Unauthorized} and that a I{WWW-Authenticate} header is set in the response containing a challenge. example.comwww-authenticatesbasic realm="example.com"N)rrrenderrk responseCoderesponseHeaders getRawHeaders)r0r*rs r$_unauthorizedRenderTestz1UnauthorizedResourceTests._unauthorizedRenderTests ()? )N)N(OPPx    -s333   # 1 12E F F ) *     r%c|}|||dd|jdS)z L{UnauthorizedResource} renders with a 401 response code and a I{WWW-Authenticate} header and puts a simple unauthorized message into the response body. s Unauthorizedr%Nr)rrkr?writtenr0r*s r$ test_renderz%UnauthorizedResourceTests.test_rendersS ""$$ $$W--- #((7?*C*CDDDDDr%c|d}|||dd|jdS)z The rendering behavior of L{UnauthorizedResource} for a I{HEAD} request is like its handling of a I{GET} request, but no response body is written. sHEAD)r6r%Nrrs r$test_renderHEADz)UnauthorizedResourceTests.test_renderHEADsX ""'"22 $$W--- chhw7788888r%cttdg}|}||||jddgdS)z The realm value included in the I{WWW-Authenticate} header set in the response when L{UnauthorizedResounrce} is rendered has quotes and backslashes escaped. z example\"foorsbasic realm="example\\\"foo"N)rrr)rrkrr)r0rr*s r$test_renderQuotesRealmz0UnauthorizedResourceTests.test_renderQuotesRealms} ()?)P)P(QRR""$$x      # 1 12E F F / 0     r%c6ttjddg}|}|||jdd}|d||d|dS)z The digest value included in the I{WWW-Authenticate} header set in the response when L{UnauthorizedResource} is rendered has quotes and backslashes escaped. rfs example\"foorrsrealm="example\\\"foo"shm="md5N)rrrhr)rrrr)r0rr* authHeaders r$test_renderQuotesDigestz1UnauthorizedResourceTests.test_renderQuotesDigests (  +F4D E E F  ""$$x   ,::;NOOPQR  2J??? j*-----r%N) rTrUrVrWrrrrrrrXr%r$rrs~RRR    EEE999     . . . . .r%rc$eZdZdZdZdZdZdS)RealmaJ A simple L{IRealm} implementation which gives out L{WebAvatar} for any avatarId. @type loggedIn: C{int} @ivar loggedIn: The number of times C{requestAvatar} has been invoked for L{IResource}. @type loggedOut: C{int} @ivar loggedOut: The number of times the logout callback has been invoked. c0d|_d|_||_dS)Nr) loggedOutloggedIn avatarFactory)r0rs r$__init__zRealm.__init__5s *r%ct|vr2|xjdz c_t|||jfSt N)rrrlogoutr4)r0avatarIdmind interfacess r$ requestAvatarzRealm.requestAvatar:sF  " " MMQ MMd00::DKG G!###r%c&|xjdz c_dSr)rr/s r$rz Realm.logout@s !r%N)rTrUrVrWrrrrXr%r$rr(sK  +++ $$$ r%rceZdZdZeZdZdZdZdZ dZ dZ dZ d Z d Zd Zd Zd ZdZdZdZdZdZdZdS)HTTPAuthHeaderTestsz. Tests for L{HTTPAuthSessionWrapper}. cNd|_d|_d|_d|_d|_t |_|j|j|jt|jd|_ |j |jt|jd|j|j i|_ t|j j |_tj|j|jg|_g|_t%|j|j|_dS)z\ Create a realm, portal, and L{HTTPAuthSessionWrapper} to use in the tests. sfoo barsbar bazs&contents of the avatar resource itselfs foo-childs'contents of the foo child of the avatar text/plainN)r,r- avatarContent childName childContentr checkeraddUserravatarputChildavatarsrgetr+rPortalcredentialFactoriesrwrapperr/s r$r1zHTTPAuthHeaderTests.setUpKs# " F%F>@@  T]DM:::4-|<<  T^T$2C\-R-RSSS t{3 4<+,, mDJ?? #% -dk4;STT r%ct|jdz|jz}|jdd|zt |j|S)z Add an I{basic authorization} header to the given request and then dispatch it, starting from C{self.wrapper} and returning the resulting L{IResource}. r> authorizationBasic )r!r,r-requestHeaders addRawHeaderrr)r0r* authorizations r$_authorizedBasicLoginz)HTTPAuthHeaderTests._authorizedBasicLogin^sP "$-$"6"FGG ++,WXXX!$,888r%cjgtj}}fd}||||S)z Resource traversal which encounters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} instance when the request does not have the required I{Authorization} headers. c>jddSNrrkrresultr*r0s r$ cbFinishedz@HTTPAuthHeaderTests.test_getChildWithDefault..cbFinishedr"   W13 7 7 7 7 7r%)r)rrr notifyFinish addCallbackrr0childdrr*s` @r$rz,HTTPAuthHeaderTests.test_getChildWithDefaulths ""DN#344"4<99  " " 8 8 8 8 8 8 j!!!ur%cvjtdjgjd|tj} }fd}| | ||S)a( Create a request with the given value as the value of an I{Authorization} header and perform resource traversal with it, starting at C{self.wrapper}. Assert that the result is a 401 response code. Return a L{Deferred} which fires when this is all done. rrc>jddSrrrs r$rzAHTTPAuthHeaderTests._invalidAuthorizationTest..cbFinishedrr%) rappendrr)rrrrrrrr)r0rErrrr*s` @r$_invalidAuthorizationTestz-HTTPAuthHeaderTests._invalidAuthorizationTestys  ''(>}(M(MNNN""DN#344++,HTTPAuthHeaderTests.test_getChildWithDefaultUnrecognizedSchemes --.ABBBr%c@jtdjg}}fd}||||S)z Resource traversal which encounters an L{HTTPAuthSessionWrapper} results in an L{IResource} which renders the L{IResource} avatar retrieved from the portal when the request has a valid I{Authorization} header. rcJjjgdSr)rkrrignoredr*r0s r$rzJHTTPAuthHeaderTests.test_getChildWithDefaultAuthorized..cbFinisheds'   W_t/@.A B B B B Br%) rrrr)rrrrrrs` @r$"test_getChildWithDefaultAuthorizedz6HTTPAuthHeaderTests.test_getChildWithDefaultAuthorizeds  ''(>}(M(MNNN""DN#344**733  " " C C C C C C j!!!ur%c4jtdg}}fd}||||S)a Resource traversal which terminates at an L{HTTPAuthSessionWrapper} and includes correct authentication headers results in the L{IResource} avatar (not one of its children) retrieved from the portal being rendered. rcJjjgdSr)rkrrrs r$rz=HTTPAuthHeaderTests.test_renderAuthorized..cbFinisheds'   W_t/A.B C C C C Cr%)rrrr)rrrrrs` @r$test_renderAuthorizedz)HTTPAuthHeaderTests.test_renderAuthorizeds  ''(>}(M(MNNN""2&&**733  " " D D D D D D j!!!ur%cttGdd}|jjgt j}}fd}| | ||S)z When L{HTTPAuthSessionWrapper} finds an L{ICredentialFactory} to issue a challenge, it calls the C{getChallenge} method with the request as an argument. ceZdZdZdZdZdS)UHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactorysdumbcg|_dSr)requestsr/s r$rz^HTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactory.__init__s " r%c:|j|iSr)rrrs r$r~zbHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..DumbCredentialFactory.getChallenges $$W--- r%N)rTrUrVschemerr~rXr%r$DumbCredentialFactoryrs7F # # #     r%rc@jgdSr)rkr)rfactoryr*r0s r$rzJHTTPAuthHeaderTests.test_getChallengeCalledWithRequest..cbFinisheds$   W-y 9 9 9 9 9r%) rrrrr)rrrrrr)r0rrrrrr*s` @@r$"test_getChallengeCalledWithRequestz6HTTPAuthHeaderTests.test_getChallengeCalledWithRequests ' ( (        ) ( ('))  ''000""DN#344"4<99  " " : : : : : : : j!!!ur%c|jtdGddt}|j|j|||jg}||}| || |j j d|S)a Issue a request for an authentication-protected resource using valid credentials and then return the C{DummyRequest} instance which was used. This is a helper for tests about the behavior of the logout callback. rceZdZdZdS)7HTTPAuthHeaderTests._logoutTest..SlowerResourcectSrrrs r$rz>HTTPAuthHeaderTests._logoutTest..SlowerResource.renders##r%N)rTrUrVrrXr%r$SlowerResourcers# $ $ $ $ $r%rr) rrrrrrrr)rrrkr+r)r0rr*rs r$ _logoutTestzHTTPAuthHeaderTests._logoutTests  ''(>}(M(MNNN $ $ $ $ $X $ $ $ T^^^-=-=>>>""DN#344**733u -q111r%c|}|||jjddS)zX The realm's logout callback is invoked after the resource is rendered. rN)rfinishrkr+rrs r$ test_logoutzHTTPAuthHeaderTests.test_logoutsF""$$ -q11111r%c|}|ttd||jjddS)z The realm's logout callback is also invoked if there is an error generating the response (for example, if the client disconnects early). zSimulated disconnectrN)rprocessingFailedrr rkr+rrs r$test_logoutOnErrorz&HTTPAuthHeaderTests.test_logoutOnError s[ ""$$  8N)O)O!P!PQQQ -q11111r%c |jtd||jg}|jddt|j|}| |tdS)z Resource traversal which enouncters an L{HTTPAuthSessionWrapper} results in an L{UnauthorizedResource} when the request has a I{Basic Authorization} header which cannot be decoded using base64. rrsBasic decode should failN) rrrr)rrrrrassertIsInstancer)r0r*rs r$test_decodeRaisesz%HTTPAuthHeaderTests.test_decodeRaisess  ''(>}(M(MNNN""DN#344++ 9   #4<99 e%9:::::r%cd}||j|dtd}|j|||j||dfdS)z L{HTTPAuthSessionWrapper._selectParseHeader} returns a two-tuple giving the L{ICredentialFactory} to use to parse the header and a string containing the portion of the header which remains to be parsed. sBasic abcdef123456)NNrs abcdef123456N)rkr_selectParseHeaderrrr)r0basicAuthorizationrs r$test_selectParseResponsez,HTTPAuthHeaderTests.test_selectParseResponse$s 3  L + +,> ? ?   )77  ''000  L + +,> ? ? o &     r%ctj|t}GddtGfdd}|j|||jg}|j ddt|j |}| || |jd|dt!|||d d j| t!|dd S) z Any unexpected exception raised by the credential factory's C{decode} method results in a 500 response code and causes the exception to be logged. ceZdZdS)KHTTPAuthHeaderTests.test_unexpectedDecodeError..UnexpectedExceptionNrTrUrVrXr%r$UnexpectedExceptionr = Dr%r c$eZdZdZdZfdZdS)BHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactorysbadciSrrX)r0r_s r$r~zOHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactory.getChallengeCs r%crrX)r0rEr*r s r$r@zIHTTPAuthHeaderTests.test_unexpectedDecodeError..BadFactory.decodeF))+++r%N)rTrUrVrr~r@r sr$ BadFactoryr@sBF    , , , , , , ,r%rrsBad abcrr log_failureN)r createWithCleanupr Exceptionrrr)rrrrrrrkr assertEqualslenrvalueflushLoggedErrors)r0 logObserverrr*rr s @r$test_unexpectedDecodeErrorz.HTTPAuthHeaderTests.test_unexpectedDecodeError5su +.UnexpectedExceptionNr rXr%r$r r"Zrr%r c eZdZefZfdZdS)DHTTPAuthHeaderTests.test_unexpectedLoginError..BrokenCheckercrrX)r0 credentialsr s r$requestAvatarIdzTHTTPAuthHeaderTests.test_unexpectedLoginError..BrokenChecker.requestAvatarId`rr%N)rTrUrVr credentialInterfacesr'rsr$ BrokenCheckerr$]s7$5#7  , , , , , , ,r%r)rrrrrN)r rrrrregisterCheckerrrrr)rrrrkrrrrrr)r0rr)r*rr s @r$test_unexpectedLoginErrorz-HTTPAuthHeaderTests.test_unexpectedLoginErrorSs| +}(M(MNNN""DN#344**733u -s333 !S--... k!n];ACVWWW T334GHHII1MMMMMr%c<dtjt<jtjt djtj td jgtj}}fd}||||S)zl Anonymous requests are allowed if a L{Portal} has an anonymous checker registered. s*contents of the unprotected child resourcerrc@jgdSr)rkr)rr*r0unprotectedContentss r$rz.cbFinisheds%   W_/B.C D D D D Dr%)rrrrrrrr*rrrrr)rrrrr)r0rrrr*r.s` @@r$test_anonymousAccessz(HTTPAuthHeaderTests.test_anonymousAccessms L"*** Y Y(( ND!4lCC    ##$8$:$:;;;  ''(>}(M(MNNN""DN#344"4<99  " " E E E E E E E j!!!ur%N)rTrUrVrWrr)r1rrrrrrrrrrrrrrrr+r/rXr%r$rrDsBKUUU&999"(QQQ    CCC&(>,222222 ; ; ;   "NNN<NNN4r%r)9rWr zope.interfacerzope.interface.verifyr twisted.credrrtwisted.cred.checkersrrr twisted.cred.credentialsr twisted.internet.addressr twisted.internet.errorr twisted.internet.testingr twisted.loggerrtwisted.python.failurer twisted.trialrtwisted.web._authrrtwisted.web._auth.basicrtwisted.web._auth.wrapperrrtwisted.web.iwebrtwisted.web.resourcerrrtwisted.web.serverrtwisted.web.staticrtwisted.web.test.test_webrr!r'rZTestCaserarcrIRealmrrrXr%r$rEs7  &&&&&&......&&&&&&&& 766666000000111111999999------******""""""++++++++::::::RRRRRRRR//////HHHHHHHHHH++++++######222222'''M M M M M M M M `        \#68I H+H+H+H+H+lH$5H+H+H+VJ.J.J.J.J. h.?J.J.J.Z FM8@@@@@(+@@@@@r%