AlaK4X
Linux lhjmq-records 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64



Your IP : 52.14.148.63


Current Path : /lib/python3/dist-packages/twisted/cred/test/
Upload File :
Current File : //lib/python3/dist-packages/twisted/cred/test/test_strcred.py

# Copyright (c) Twisted Matrix Laboratories.
# See LICENSE for details.

"""
L{twisted.cred.strcred}.
"""


import os
from io import StringIO
from typing import Sequence, Type
from unittest import skipIf

from zope.interface import Interface

from twisted import plugin
from twisted.cred import checkers, credentials, error, strcred
from twisted.plugins import cred_anonymous, cred_file, cred_unix
from twisted.python import usage
from twisted.python.fakepwd import UserDatabase
from twisted.python.filepath import FilePath
from twisted.python.reflect import requireModule
from twisted.trial.unittest import TestCase

crypt = requireModule("crypt")
pwd = requireModule("pwd")
spwd = requireModule("spwd")


def getInvalidAuthType():
    """
    Helper method to produce an auth type that doesn't exist.
    """
    invalidAuthType = "ThisPluginDoesNotExist"
    while invalidAuthType in [
        factory.authType for factory in strcred.findCheckerFactories()
    ]:
        invalidAuthType += "_"
    return invalidAuthType


class PublicAPITests(TestCase):
    def test_emptyDescription(self):
        """
        The description string cannot be empty.
        """
        iat = getInvalidAuthType()
        self.assertRaises(strcred.InvalidAuthType, strcred.makeChecker, iat)
        self.assertRaises(strcred.InvalidAuthType, strcred.findCheckerFactory, iat)

    def test_invalidAuthType(self):
        """
        An unrecognized auth type raises an exception.
        """
        iat = getInvalidAuthType()
        self.assertRaises(strcred.InvalidAuthType, strcred.makeChecker, iat)
        self.assertRaises(strcred.InvalidAuthType, strcred.findCheckerFactory, iat)


class StrcredFunctionsTests(TestCase):
    def test_findCheckerFactories(self):
        """
        L{strcred.findCheckerFactories} returns all available plugins.
        """
        availablePlugins = list(strcred.findCheckerFactories())
        for plg in plugin.getPlugins(strcred.ICheckerFactory):
            self.assertIn(plg, availablePlugins)

    def test_findCheckerFactory(self):
        """
        L{strcred.findCheckerFactory} returns the first plugin
        available for a given authentication type.
        """
        self.assertIdentical(
            strcred.findCheckerFactory("file"), cred_file.theFileCheckerFactory
        )


class MemoryCheckerTests(TestCase):
    def setUp(self):
        self.admin = credentials.UsernamePassword("admin", "asdf")
        self.alice = credentials.UsernamePassword("alice", "foo")
        self.badPass = credentials.UsernamePassword("alice", "foobar")
        self.badUser = credentials.UsernamePassword("x", "yz")
        self.checker = strcred.makeChecker("memory:admin:asdf:alice:foo")

    def test_isChecker(self):
        """
        Verifies that strcred.makeChecker('memory') returns an object
        that implements the L{ICredentialsChecker} interface.
        """
        self.assertTrue(checkers.ICredentialsChecker.providedBy(self.checker))
        self.assertIn(credentials.IUsernamePassword, self.checker.credentialInterfaces)

    def test_badFormatArgString(self):
        """
        An argument string which does not contain user:pass pairs
        (i.e., an odd number of ':' characters) raises an exception.
        """
        self.assertRaises(
            strcred.InvalidAuthArgumentString, strcred.makeChecker, "memory:a:b:c"
        )

    def test_memoryCheckerSucceeds(self):
        """
        The checker works with valid credentials.
        """

        def _gotAvatar(username):
            self.assertEqual(username, self.admin.username)

        return self.checker.requestAvatarId(self.admin).addCallback(_gotAvatar)

    def test_memoryCheckerFailsUsername(self):
        """
        The checker fails with an invalid username.
        """
        return self.assertFailure(
            self.checker.requestAvatarId(self.badUser), error.UnauthorizedLogin
        )

    def test_memoryCheckerFailsPassword(self):
        """
        The checker fails with an invalid password.
        """
        return self.assertFailure(
            self.checker.requestAvatarId(self.badPass), error.UnauthorizedLogin
        )


class AnonymousCheckerTests(TestCase):
    def test_isChecker(self):
        """
        Verifies that strcred.makeChecker('anonymous') returns an object
        that implements the L{ICredentialsChecker} interface.
        """
        checker = strcred.makeChecker("anonymous")
        self.assertTrue(checkers.ICredentialsChecker.providedBy(checker))
        self.assertIn(credentials.IAnonymous, checker.credentialInterfaces)

    def testAnonymousAccessSucceeds(self):
        """
        We can log in anonymously using this checker.
        """
        checker = strcred.makeChecker("anonymous")
        request = checker.requestAvatarId(credentials.Anonymous())

        def _gotAvatar(avatar):
            self.assertIdentical(checkers.ANONYMOUS, avatar)

        return request.addCallback(_gotAvatar)


@skipIf(not pwd, "Required module not available: pwd")
@skipIf(not crypt, "Required module not available: crypt")
@skipIf(not spwd, "Required module not available: spwd")
class UnixCheckerTests(TestCase):

    users = {
        "admin": "asdf",
        "alice": "foo",
    }

    def _spwd_getspnam(self, username):
        return spwd.struct_spwd(
            (
                username,
                crypt.crypt(self.users[username], "F/"),
                0,
                0,
                99999,
                7,
                -1,
                -1,
                -1,
            )
        )

    def setUp(self):
        self.admin = credentials.UsernamePassword("admin", "asdf")
        self.alice = credentials.UsernamePassword("alice", "foo")
        self.badPass = credentials.UsernamePassword("alice", "foobar")
        self.badUser = credentials.UsernamePassword("x", "yz")
        self.checker = strcred.makeChecker("unix")
        self.adminBytes = credentials.UsernamePassword(b"admin", b"asdf")
        self.aliceBytes = credentials.UsernamePassword(b"alice", b"foo")
        self.badPassBytes = credentials.UsernamePassword(b"alice", b"foobar")
        self.badUserBytes = credentials.UsernamePassword(b"x", b"yz")
        self.checkerBytes = strcred.makeChecker("unix")

        # Hack around the pwd and spwd modules, since we can't really
        # go about reading your /etc/passwd or /etc/shadow files
        if pwd:
            database = UserDatabase()
            for username, password in self.users.items():
                database.addUser(
                    username,
                    crypt.crypt(password, "F/"),
                    1000,
                    1000,
                    username,
                    "/home/" + username,
                    "/bin/sh",
                )
            self.patch(pwd, "getpwnam", database.getpwnam)
        if spwd:
            self.patch(spwd, "getspnam", self._spwd_getspnam)

    def test_isChecker(self):
        """
        Verifies that strcred.makeChecker('unix') returns an object
        that implements the L{ICredentialsChecker} interface.
        """
        self.assertTrue(checkers.ICredentialsChecker.providedBy(self.checker))
        self.assertIn(credentials.IUsernamePassword, self.checker.credentialInterfaces)
        self.assertTrue(checkers.ICredentialsChecker.providedBy(self.checkerBytes))
        self.assertIn(
            credentials.IUsernamePassword, self.checkerBytes.credentialInterfaces
        )

    def test_unixCheckerSucceeds(self):
        """
        The checker works with valid credentials.
        """

        def _gotAvatar(username):
            self.assertEqual(username, self.admin.username)

        return self.checker.requestAvatarId(self.admin).addCallback(_gotAvatar)

    def test_unixCheckerSucceedsBytes(self):
        """
        The checker works with valid L{bytes} credentials.
        """

        def _gotAvatar(username):
            self.assertEqual(username, self.adminBytes.username.decode("utf-8"))

        return self.checkerBytes.requestAvatarId(self.adminBytes).addCallback(
            _gotAvatar
        )

    def test_unixCheckerFailsUsername(self):
        """
        The checker fails with an invalid username.
        """
        return self.assertFailure(
            self.checker.requestAvatarId(self.badUser), error.UnauthorizedLogin
        )

    def test_unixCheckerFailsUsernameBytes(self):
        """
        The checker fails with an invalid L{bytes} username.
        """
        return self.assertFailure(
            self.checkerBytes.requestAvatarId(self.badUserBytes),
            error.UnauthorizedLogin,
        )

    def test_unixCheckerFailsPassword(self):
        """
        The checker fails with an invalid password.
        """
        return self.assertFailure(
            self.checker.requestAvatarId(self.badPass), error.UnauthorizedLogin
        )

    def test_unixCheckerFailsPasswordBytes(self):
        """
        The checker fails with an invalid L{bytes} password.
        """
        return self.assertFailure(
            self.checkerBytes.requestAvatarId(self.badPassBytes),
            error.UnauthorizedLogin,
        )


@skipIf(not crypt, "Required module is unavailable: crypt")
class CryptTests(TestCase):
    """
    L{crypt} has functions for encrypting password.
    """

    def test_verifyCryptedPassword(self):
        """
        L{cred_unix.verifyCryptedPassword}
        """
        password = "sample password ^%$"

        for salt in (None, "ab"):
            try:
                cryptedCorrect = crypt.crypt(password, salt)
                if isinstance(cryptedCorrect, bytes):
                    cryptedCorrect = cryptedCorrect.decode("utf-8")
            except TypeError:
                # Older Python versions would throw a TypeError if
                # a value of None was is used for the salt.
                # Newer Python versions allow it.
                continue
            cryptedIncorrect = "$1x1234"
            self.assertTrue(cred_unix.verifyCryptedPassword(cryptedCorrect, password))
            self.assertFalse(
                cred_unix.verifyCryptedPassword(cryptedIncorrect, password)
            )

        # Python 3.3+ has crypt.METHOD_*, but not all
        # platforms implement all methods.
        for method in ("METHOD_SHA512", "METHOD_SHA256", "METHOD_MD5", "METHOD_CRYPT"):
            cryptMethod = getattr(crypt, method, None)
            if not cryptMethod:
                continue
            password = "interesting password xyz"
            crypted = crypt.crypt(password, cryptMethod)
            if isinstance(crypted, bytes):
                crypted = crypted.decode("utf-8")
            incorrectCrypted = crypted + "blahfooincorrect"
            result = cred_unix.verifyCryptedPassword(crypted, password)
            self.assertTrue(result)
            # Try to pass in bytes
            result = cred_unix.verifyCryptedPassword(
                crypted.encode("utf-8"), password.encode("utf-8")
            )
            self.assertTrue(result)
            result = cred_unix.verifyCryptedPassword(incorrectCrypted, password)
            self.assertFalse(result)
            # Try to pass in bytes
            result = cred_unix.verifyCryptedPassword(
                incorrectCrypted.encode("utf-8"), password.encode("utf-8")
            )
            self.assertFalse(result)

    def test_verifyCryptedPasswordOSError(self):
        """
        L{cred_unix.verifyCryptedPassword} when OSError is raised
        """

        def mockCrypt(password, salt):
            raise OSError("")

        password = "sample password ^%$"
        cryptedCorrect = crypt.crypt(password, "ab")
        self.patch(crypt, "crypt", mockCrypt)
        self.assertFalse(cred_unix.verifyCryptedPassword(cryptedCorrect, password))


class FileDBCheckerTests(TestCase):
    """
    C{--auth=file:...} file checker.
    """

    def setUp(self):
        self.admin = credentials.UsernamePassword(b"admin", b"asdf")
        self.alice = credentials.UsernamePassword(b"alice", b"foo")
        self.badPass = credentials.UsernamePassword(b"alice", b"foobar")
        self.badUser = credentials.UsernamePassword(b"x", b"yz")
        self.filename = self.mktemp()
        FilePath(self.filename).setContent(b"admin:asdf\nalice:foo\n")
        self.checker = strcred.makeChecker("file:" + self.filename)

    def _fakeFilename(self):
        filename = "/DoesNotExist"
        while os.path.exists(filename):
            filename += "_"
        return filename

    def test_isChecker(self):
        """
        Verifies that strcred.makeChecker('memory') returns an object
        that implements the L{ICredentialsChecker} interface.
        """
        self.assertTrue(checkers.ICredentialsChecker.providedBy(self.checker))
        self.assertIn(credentials.IUsernamePassword, self.checker.credentialInterfaces)

    def test_fileCheckerSucceeds(self):
        """
        The checker works with valid credentials.
        """

        def _gotAvatar(username):
            self.assertEqual(username, self.admin.username)

        return self.checker.requestAvatarId(self.admin).addCallback(_gotAvatar)

    def test_fileCheckerFailsUsername(self):
        """
        The checker fails with an invalid username.
        """
        return self.assertFailure(
            self.checker.requestAvatarId(self.badUser), error.UnauthorizedLogin
        )

    def test_fileCheckerFailsPassword(self):
        """
        The checker fails with an invalid password.
        """
        return self.assertFailure(
            self.checker.requestAvatarId(self.badPass), error.UnauthorizedLogin
        )

    def test_failsWithEmptyFilename(self):
        """
        An empty filename raises an error.
        """
        self.assertRaises(ValueError, strcred.makeChecker, "file")
        self.assertRaises(ValueError, strcred.makeChecker, "file:")

    def test_warnWithBadFilename(self):
        """
        When the file auth plugin is given a file that doesn't exist, it
        should produce a warning.
        """
        oldOutput = cred_file.theFileCheckerFactory.errorOutput
        newOutput = StringIO()
        cred_file.theFileCheckerFactory.errorOutput = newOutput
        strcred.makeChecker("file:" + self._fakeFilename())
        cred_file.theFileCheckerFactory.errorOutput = oldOutput
        self.assertIn(cred_file.invalidFileWarning, newOutput.getvalue())


@skipIf(not requireModule("cryptography"), "cryptography is not available")
@skipIf(not requireModule("pyasn1"), "pyasn1 is not available")
class SSHCheckerTests(TestCase):
    """
    Tests for the C{--auth=sshkey:...} checker.  The majority of the
    tests for the ssh public key database checker are in
    L{twisted.conch.test.test_checkers.SSHPublicKeyCheckerTestCase}.
    """

    def test_isChecker(self):
        """
        Verifies that strcred.makeChecker('sshkey') returns an object
        that implements the L{ICredentialsChecker} interface.
        """
        sshChecker = strcred.makeChecker("sshkey")
        self.assertTrue(checkers.ICredentialsChecker.providedBy(sshChecker))
        self.assertIn(credentials.ISSHPrivateKey, sshChecker.credentialInterfaces)


class DummyOptions(usage.Options, strcred.AuthOptionMixin):
    """
    Simple options for testing L{strcred.AuthOptionMixin}.
    """


class CheckerOptionsTests(TestCase):
    def test_createsList(self):
        """
        The C{--auth} command line creates a list in the
        Options instance and appends values to it.
        """
        options = DummyOptions()
        options.parseOptions(["--auth", "memory"])
        self.assertEqual(len(options["credCheckers"]), 1)
        options = DummyOptions()
        options.parseOptions(["--auth", "memory", "--auth", "memory"])
        self.assertEqual(len(options["credCheckers"]), 2)

    def test_invalidAuthError(self):
        """
        The C{--auth} command line raises an exception when it
        gets a parameter it doesn't understand.
        """
        options = DummyOptions()
        # If someone adds a 'ThisPluginDoesNotExist' then this unit
        # test should still run.
        invalidParameter = getInvalidAuthType()
        self.assertRaises(
            usage.UsageError, options.parseOptions, ["--auth", invalidParameter]
        )
        self.assertRaises(
            usage.UsageError,
            options.parseOptions,
            ["--help-auth-type", invalidParameter],
        )

    def test_createsDictionary(self):
        """
        The C{--auth} command line creates a dictionary mapping supported
        interfaces to the list of credentials checkers that support it.
        """
        options = DummyOptions()
        options.parseOptions(["--auth", "memory", "--auth", "anonymous"])
        chd = options["credInterfaces"]
        self.assertEqual(len(chd[credentials.IAnonymous]), 1)
        self.assertEqual(len(chd[credentials.IUsernamePassword]), 1)
        chdAnonymous = chd[credentials.IAnonymous][0]
        chdUserPass = chd[credentials.IUsernamePassword][0]
        self.assertTrue(checkers.ICredentialsChecker.providedBy(chdAnonymous))
        self.assertTrue(checkers.ICredentialsChecker.providedBy(chdUserPass))
        self.assertIn(credentials.IAnonymous, chdAnonymous.credentialInterfaces)
        self.assertIn(credentials.IUsernamePassword, chdUserPass.credentialInterfaces)

    def test_credInterfacesProvidesLists(self):
        """
        When two C{--auth} arguments are passed along which support the same
        interface, a list with both is created.
        """
        options = DummyOptions()
        options.parseOptions(["--auth", "memory", "--auth", "unix"])
        self.assertEqual(
            options["credCheckers"],
            options["credInterfaces"][credentials.IUsernamePassword],
        )

    def test_listDoesNotDisplayDuplicates(self):
        """
        The list for C{--help-auth} does not duplicate items.
        """
        authTypes = []
        options = DummyOptions()
        for cf in options._checkerFactoriesForOptHelpAuth():
            self.assertNotIn(cf.authType, authTypes)
            authTypes.append(cf.authType)

    def test_displaysListCorrectly(self):
        """
        The C{--help-auth} argument correctly displays all
        available authentication plugins, then exits.
        """
        newStdout = StringIO()
        options = DummyOptions()
        options.authOutput = newStdout
        self.assertRaises(SystemExit, options.parseOptions, ["--help-auth"])
        for checkerFactory in strcred.findCheckerFactories():
            self.assertIn(checkerFactory.authType, newStdout.getvalue())

    def test_displaysHelpCorrectly(self):
        """
        The C{--help-auth-for} argument will correctly display the help file
        for a particular authentication plugin.
        """
        newStdout = StringIO()
        options = DummyOptions()
        options.authOutput = newStdout
        self.assertRaises(
            SystemExit, options.parseOptions, ["--help-auth-type", "file"]
        )
        for line in cred_file.theFileCheckerFactory.authHelp:
            if line.strip():
                self.assertIn(line.strip(), newStdout.getvalue())

    def test_unexpectedException(self):
        """
        When the checker specified by C{--auth} raises an unexpected error, it
        should be caught and re-raised within a L{usage.UsageError}.
        """
        options = DummyOptions()
        err = self.assertRaises(
            usage.UsageError, options.parseOptions, ["--auth", "file"]
        )
        self.assertEqual(str(err), "Unexpected error: 'file' requires a filename")


class OptionsForUsernamePassword(usage.Options, strcred.AuthOptionMixin):
    supportedInterfaces = (credentials.IUsernamePassword,)


class OptionsForUsernameHashedPassword(usage.Options, strcred.AuthOptionMixin):
    supportedInterfaces = (credentials.IUsernameHashedPassword,)


class OptionsSupportsAllInterfaces(usage.Options, strcred.AuthOptionMixin):
    supportedInterfaces = None


class OptionsSupportsNoInterfaces(usage.Options, strcred.AuthOptionMixin):
    supportedInterfaces: Sequence[Type[Interface]] = []


class LimitingInterfacesTests(TestCase):
    """
    Tests functionality that allows an application to limit the
    credential interfaces it can support. For the purposes of this
    test, we use IUsernameHashedPassword, although this will never
    really be used by the command line.

    (I have, to date, not thought of a half-decent way for a user to
    specify a hash algorithm via the command-line. Nor do I think it's
    very useful.)

    I should note that, at first, this test is counter-intuitive,
    because we're using the checker with a pre-defined hash function
    as the 'bad' checker. See the documentation for
    L{twisted.cred.checkers.FilePasswordDB.hash} for more details.
    """

    def setUp(self):
        self.filename = self.mktemp()
        with open(self.filename, "wb") as f:
            f.write(b"admin:asdf\nalice:foo\n")
        self.goodChecker = checkers.FilePasswordDB(self.filename)
        self.badChecker = checkers.FilePasswordDB(self.filename, hash=self._hash)
        self.anonChecker = checkers.AllowAnonymousAccess()

    def _hash(self, networkUsername, networkPassword, storedPassword):
        """
        A dumb hash that doesn't really do anything.
        """
        return networkPassword

    def test_supportsInterface(self):
        """
        The supportsInterface method behaves appropriately.
        """
        options = OptionsForUsernamePassword()
        self.assertTrue(options.supportsInterface(credentials.IUsernamePassword))
        self.assertFalse(options.supportsInterface(credentials.IAnonymous))
        self.assertRaises(
            strcred.UnsupportedInterfaces, options.addChecker, self.anonChecker
        )

    def test_supportsAllInterfaces(self):
        """
        The supportsInterface method behaves appropriately
        when the supportedInterfaces attribute is None.
        """
        options = OptionsSupportsAllInterfaces()
        self.assertTrue(options.supportsInterface(credentials.IUsernamePassword))
        self.assertTrue(options.supportsInterface(credentials.IAnonymous))

    def test_supportsCheckerFactory(self):
        """
        The supportsCheckerFactory method behaves appropriately.
        """
        options = OptionsForUsernamePassword()
        fileCF = cred_file.theFileCheckerFactory
        anonCF = cred_anonymous.theAnonymousCheckerFactory
        self.assertTrue(options.supportsCheckerFactory(fileCF))
        self.assertFalse(options.supportsCheckerFactory(anonCF))

    def test_canAddSupportedChecker(self):
        """
        When addChecker is called with a checker that implements at least one
        of the interfaces our application supports, it is successful.
        """
        options = OptionsForUsernamePassword()
        options.addChecker(self.goodChecker)
        iface = options.supportedInterfaces[0]
        # Test that we did get IUsernamePassword
        self.assertIdentical(options["credInterfaces"][iface][0], self.goodChecker)
        self.assertIdentical(options["credCheckers"][0], self.goodChecker)
        # Test that we didn't get IUsernameHashedPassword
        self.assertEqual(len(options["credInterfaces"][iface]), 1)
        self.assertEqual(len(options["credCheckers"]), 1)

    def test_failOnAddingUnsupportedChecker(self):
        """
        When addChecker is called with a checker that does not implement any
        supported interfaces, it fails.
        """
        options = OptionsForUsernameHashedPassword()
        self.assertRaises(
            strcred.UnsupportedInterfaces, options.addChecker, self.badChecker
        )

    def test_unsupportedInterfaceError(self):
        """
        The C{--auth} command line raises an exception when it
        gets a checker we don't support.
        """
        options = OptionsSupportsNoInterfaces()
        authType = cred_anonymous.theAnonymousCheckerFactory.authType
        self.assertRaises(usage.UsageError, options.parseOptions, ["--auth", authType])

    def test_helpAuthLimitsOutput(self):
        """
        C{--help-auth} will only list checkers that purport to
        supply at least one of the credential interfaces our
        application can use.
        """
        options = OptionsForUsernamePassword()
        for factory in options._checkerFactoriesForOptHelpAuth():
            invalid = True
            for interface in factory.credentialInterfaces:
                if options.supportsInterface(interface):
                    invalid = False
            if invalid:
                raise strcred.UnsupportedInterfaces()

    def test_helpAuthTypeLimitsOutput(self):
        """
        C{--help-auth-type} will display a warning if you get
        help for an authType that does not supply at least one of the
        credential interfaces our application can use.
        """
        options = OptionsForUsernamePassword()
        # Find an interface that we can use for our test
        invalidFactory = None
        for factory in strcred.findCheckerFactories():
            if not options.supportsCheckerFactory(factory):
                invalidFactory = factory
                break
        self.assertNotIdentical(invalidFactory, None)
        # Capture output and make sure the warning is there
        newStdout = StringIO()
        options.authOutput = newStdout
        self.assertRaises(
            SystemExit, options.parseOptions, ["--help-auth-type", "anonymous"]
        )
        self.assertIn(strcred.notSupportedWarning, newStdout.getvalue())