mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-22 16:25:17 +00:00
Add tests for token mechanism
This commit is contained in:
parent
c3477ef635
commit
9aab212647
@ -37,11 +37,11 @@ class TokenResource(object):
|
||||
|
||||
margin = 300 # Tolerate 5 minute clock skew as Kerberos does
|
||||
if csum.hexdigest() != req.get_param("c", required=True):
|
||||
raise falcon.HTTPUnauthorized("Forbidden", "Invalid token supplied, did you copy-paste link correctly?")
|
||||
raise falcon.HTTPForbidden("Forbidden", "Invalid token supplied, did you copy-paste link correctly?")
|
||||
if now < timestamp - margin:
|
||||
raise falcon.HTTPUnauthorized("Forbidden", "Token not valid yet, are you sure server clock is correct?")
|
||||
raise falcon.HTTPForbidden("Forbidden", "Token not valid yet, are you sure server clock is correct?")
|
||||
if now > timestamp + margin + config.TOKEN_LIFETIME:
|
||||
raise falcon.HTTPUnauthorized("Forbidden", "Token expired")
|
||||
raise falcon.HTTPForbidden("Forbidden", "Token expired")
|
||||
|
||||
# At this point consider token to be legitimate
|
||||
|
||||
@ -88,9 +88,12 @@ class TokenResource(object):
|
||||
# Token lifetime in local time, to select timezone: dpkg-reconfigure tzdata
|
||||
token_created = datetime.fromtimestamp(timestamp)
|
||||
token_expires = datetime.fromtimestamp(timestamp + config.TOKEN_LIFETIME)
|
||||
try:
|
||||
with open("/etc/timezone") as fh:
|
||||
token_timezone = fh.read().strip()
|
||||
|
||||
except EnvironmentError:
|
||||
token_timezone = None
|
||||
context = globals()
|
||||
context.update(locals())
|
||||
mailer.send("token.md", to=user, **context)
|
||||
resp.body = args
|
||||
|
@ -15,5 +15,5 @@ To set up OpenVPN for your device:
|
||||
{% endif %}
|
||||
|
||||
Click [here]({{ config.TOKEN_URL }}?{{ args }}) to claim the token.
|
||||
Token is usable until {{ token_expires }} ({{ token_timezone }} time).
|
||||
Token is usable until {{ token_expires }}{% if token_timezone %} ({{ token_timezone }} time){% endif %}.
|
||||
|
||||
|
@ -258,11 +258,9 @@ def test_cli_setup_authority():
|
||||
# Test static
|
||||
r = client().simulate_delete("/nonexistant.html")
|
||||
assert r.status_code == 404
|
||||
|
||||
r = client().simulate_delete("/index.html")
|
||||
assert r.status_code == 200
|
||||
|
||||
|
||||
# Log can be read only by admin
|
||||
r = client().simulate_get("/api/log/")
|
||||
assert r.status_code == 401
|
||||
@ -273,3 +271,29 @@ def test_cli_setup_authority():
|
||||
headers={"Authorization":admintoken})
|
||||
assert r.status_code == 200
|
||||
assert r.headers.get('content-type') == "application/json; charset=UTF-8"
|
||||
|
||||
# Test token mech
|
||||
r = client().simulate_post("/api/token/")
|
||||
assert r.status_code == 404
|
||||
|
||||
config.BUNDLE_FORMAT = "ovpn"
|
||||
config.USER_ENROLLMENT_ALLOWED = True
|
||||
|
||||
r = client().simulate_post("/api/token/")
|
||||
assert r.status_code == 401 # needs auth
|
||||
r = client().simulate_post("/api/token/",
|
||||
headers={"Authorization":usertoken})
|
||||
assert r.status_code == 403 # regular user forbidden
|
||||
r = client().simulate_post("/api/token/",
|
||||
body="user=userbot", # TODO: test nonexistant user
|
||||
headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
|
||||
assert r.status_code == 200 # token generated by admin
|
||||
|
||||
r2 = client().simulate_get("/api/token/",
|
||||
query_string="u=userbot&t=1493184342&c=ac9b71421d5741800c5a4905b20c1072594a2df863e60ba836464888786bf2a6",
|
||||
headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
|
||||
assert r2.status_code == 403 # invalid checksum/timestamp
|
||||
r2 = client().simulate_get("/api/token/", query_string=r.content,
|
||||
headers={"User-Agent":"Mozilla/5.0 (X11; Fedora; Linux x86_64) "
|
||||
"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"})
|
||||
assert r2.status_code == 200 # token consumed by anyone
|
||||
|
Loading…
Reference in New Issue
Block a user