mirror of
https://github.com/laurivosandi/certidude
synced 2024-11-15 17:36:44 +00:00
Add tests for token mechanism
This commit is contained in:
parent
c3477ef635
commit
9aab212647
@ -37,11 +37,11 @@ class TokenResource(object):
|
|||||||
|
|
||||||
margin = 300 # Tolerate 5 minute clock skew as Kerberos does
|
margin = 300 # Tolerate 5 minute clock skew as Kerberos does
|
||||||
if csum.hexdigest() != req.get_param("c", required=True):
|
if csum.hexdigest() != req.get_param("c", required=True):
|
||||||
raise falcon.HTTPUnauthorized("Forbidden", "Invalid token supplied, did you copy-paste link correctly?")
|
raise falcon.HTTPForbidden("Forbidden", "Invalid token supplied, did you copy-paste link correctly?")
|
||||||
if now < timestamp - margin:
|
if now < timestamp - margin:
|
||||||
raise falcon.HTTPUnauthorized("Forbidden", "Token not valid yet, are you sure server clock is correct?")
|
raise falcon.HTTPForbidden("Forbidden", "Token not valid yet, are you sure server clock is correct?")
|
||||||
if now > timestamp + margin + config.TOKEN_LIFETIME:
|
if now > timestamp + margin + config.TOKEN_LIFETIME:
|
||||||
raise falcon.HTTPUnauthorized("Forbidden", "Token expired")
|
raise falcon.HTTPForbidden("Forbidden", "Token expired")
|
||||||
|
|
||||||
# At this point consider token to be legitimate
|
# At this point consider token to be legitimate
|
||||||
|
|
||||||
@ -88,9 +88,12 @@ class TokenResource(object):
|
|||||||
# Token lifetime in local time, to select timezone: dpkg-reconfigure tzdata
|
# Token lifetime in local time, to select timezone: dpkg-reconfigure tzdata
|
||||||
token_created = datetime.fromtimestamp(timestamp)
|
token_created = datetime.fromtimestamp(timestamp)
|
||||||
token_expires = datetime.fromtimestamp(timestamp + config.TOKEN_LIFETIME)
|
token_expires = datetime.fromtimestamp(timestamp + config.TOKEN_LIFETIME)
|
||||||
|
try:
|
||||||
with open("/etc/timezone") as fh:
|
with open("/etc/timezone") as fh:
|
||||||
token_timezone = fh.read().strip()
|
token_timezone = fh.read().strip()
|
||||||
|
except EnvironmentError:
|
||||||
|
token_timezone = None
|
||||||
context = globals()
|
context = globals()
|
||||||
context.update(locals())
|
context.update(locals())
|
||||||
mailer.send("token.md", to=user, **context)
|
mailer.send("token.md", to=user, **context)
|
||||||
|
resp.body = args
|
||||||
|
@ -15,5 +15,5 @@ To set up OpenVPN for your device:
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
Click [here]({{ config.TOKEN_URL }}?{{ args }}) to claim the token.
|
Click [here]({{ config.TOKEN_URL }}?{{ args }}) to claim the token.
|
||||||
Token is usable until {{ token_expires }} ({{ token_timezone }} time).
|
Token is usable until {{ token_expires }}{% if token_timezone %} ({{ token_timezone }} time){% endif %}.
|
||||||
|
|
||||||
|
@ -258,11 +258,9 @@ def test_cli_setup_authority():
|
|||||||
# Test static
|
# Test static
|
||||||
r = client().simulate_delete("/nonexistant.html")
|
r = client().simulate_delete("/nonexistant.html")
|
||||||
assert r.status_code == 404
|
assert r.status_code == 404
|
||||||
|
|
||||||
r = client().simulate_delete("/index.html")
|
r = client().simulate_delete("/index.html")
|
||||||
assert r.status_code == 200
|
assert r.status_code == 200
|
||||||
|
|
||||||
|
|
||||||
# Log can be read only by admin
|
# Log can be read only by admin
|
||||||
r = client().simulate_get("/api/log/")
|
r = client().simulate_get("/api/log/")
|
||||||
assert r.status_code == 401
|
assert r.status_code == 401
|
||||||
@ -273,3 +271,29 @@ def test_cli_setup_authority():
|
|||||||
headers={"Authorization":admintoken})
|
headers={"Authorization":admintoken})
|
||||||
assert r.status_code == 200
|
assert r.status_code == 200
|
||||||
assert r.headers.get('content-type') == "application/json; charset=UTF-8"
|
assert r.headers.get('content-type') == "application/json; charset=UTF-8"
|
||||||
|
|
||||||
|
# Test token mech
|
||||||
|
r = client().simulate_post("/api/token/")
|
||||||
|
assert r.status_code == 404
|
||||||
|
|
||||||
|
config.BUNDLE_FORMAT = "ovpn"
|
||||||
|
config.USER_ENROLLMENT_ALLOWED = True
|
||||||
|
|
||||||
|
r = client().simulate_post("/api/token/")
|
||||||
|
assert r.status_code == 401 # needs auth
|
||||||
|
r = client().simulate_post("/api/token/",
|
||||||
|
headers={"Authorization":usertoken})
|
||||||
|
assert r.status_code == 403 # regular user forbidden
|
||||||
|
r = client().simulate_post("/api/token/",
|
||||||
|
body="user=userbot", # TODO: test nonexistant user
|
||||||
|
headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
|
||||||
|
assert r.status_code == 200 # token generated by admin
|
||||||
|
|
||||||
|
r2 = client().simulate_get("/api/token/",
|
||||||
|
query_string="u=userbot&t=1493184342&c=ac9b71421d5741800c5a4905b20c1072594a2df863e60ba836464888786bf2a6",
|
||||||
|
headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
|
||||||
|
assert r2.status_code == 403 # invalid checksum/timestamp
|
||||||
|
r2 = client().simulate_get("/api/token/", query_string=r.content,
|
||||||
|
headers={"User-Agent":"Mozilla/5.0 (X11; Fedora; Linux x86_64) "
|
||||||
|
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"})
|
||||||
|
assert r2.status_code == 200 # token consumed by anyone
|
||||||
|
Loading…
Reference in New Issue
Block a user