diff options
author | Michał Górny <mgorny@gentoo.org> | 2013-08-22 21:07:10 +0200 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2013-08-23 12:49:15 +0200 |
commit | 1cea7628f7459cbc50b3f37346f3065be20874c6 (patch) | |
tree | c469f4701c0dbbeba0c49595d26d53775d89dc92 | |
parent | runtests: pass remaining arguments as apps to the runner. (diff) | |
download | identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.tar.gz identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.tar.bz2 identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.zip |
Add tests for SSL auth.
-rw-r--r-- | okupy/tests/unit/test_auth.py | 78 | ||||
-rw-r--r-- | okupy/tests/vars.py | 54 |
2 files changed, 132 insertions, 0 deletions
diff --git a/okupy/tests/unit/test_auth.py b/okupy/tests/unit/test_auth.py new file mode 100644 index 0000000..1f3eb1d --- /dev/null +++ b/okupy/tests/unit/test_auth.py @@ -0,0 +1,78 @@ +# vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python + +from mockldap import MockLdap + +from django.conf import settings +from django.contrib.auth import authenticate +from django.test.utils import override_settings + +from .. import vars +from ...common.test_helpers import OkupyTestCase, set_request, ldap_users, set_search_seed + + +class AuthUnitTests(OkupyTestCase): + @classmethod + def setUpClass(cls): + cls.mockldap = MockLdap(vars.DIRECTORY) + + def setUp(self): + self.mockldap.start() + self.ldapobject = self.mockldap[settings.AUTH_LDAP_SERVER_URI] + + def tearDown(self): + self.mockldap.stop() + + @override_settings(AUTHENTICATION_BACKENDS=( + 'okupy.common.auth.SSLCertAuthBackend',)) + def test_valid_certificate_authenticates_alice(self): + request = set_request(uri='/login') + request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' + request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate + + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')]) + u = authenticate(request=request) + self.assertEqual(u.username, vars.LOGIN_ALICE['username']) + + @override_settings(AUTHENTICATION_BACKENDS=( + 'okupy.common.auth.SSLCertAuthBackend',)) + def test_second_email_authenticates_alice(self): + request = set_request(uri='/login') + request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' + request.META['SSL_CLIENT_RAW_CERT'] = ( + vars.test_certificate_with_two_email_addresses) + + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('test@test.com', 'mail'))([]) + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')]) + u = authenticate(request=request) + self.assertEqual(u.username, vars.LOGIN_ALICE['username']) + + @override_settings(AUTHENTICATION_BACKENDS=( + 'okupy.common.auth.SSLCertAuthBackend',)) + def test_no_certificate_returns_none(self): + request = set_request(uri='/login') + request.META['SSL_CLIENT_VERIFY'] = 'NONE' + + u = authenticate(request=request) + self.assertIs(u, None) + + @override_settings(AUTHENTICATION_BACKENDS=( + 'okupy.common.auth.SSLCertAuthBackend',)) + def test_failed_verification_returns_none(self): + request = set_request(uri='/login') + request.META['SSL_CLIENT_VERIFY'] = 'FAILURE' + request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate + + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')]) + u = authenticate(request=request) + self.assertIs(u, None) + + @override_settings(AUTHENTICATION_BACKENDS=( + 'okupy.common.auth.SSLCertAuthBackend',)) + def test_unmatched_email_returns_none(self): + request = set_request(uri='/login') + request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' + request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate_wrong_email + + self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('wrong@test.com', 'mail'))([]) + u = authenticate(request=request) + self.assertIs(u, None) diff --git a/okupy/tests/vars.py b/okupy/tests/vars.py index f4edbc1..4d0ba51 100644 --- a/okupy/tests/vars.py +++ b/okupy/tests/vars.py @@ -67,3 +67,57 @@ SIGNUP_TESTUSER = { 'password_origin': 'testpassword', 'password_verify': 'testpassword', } + +# SSL certificates + +test_certificate = '''-----BEGIN CERTIFICATE----- +MIICmzCCAiWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ +MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh +bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w +bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTgzMjIyWhgPMjExMjAzMTYxODMyMjJa +MHAxCzAJBgNVBAYTAkVYMRAwDgYDVQQIDAdFeGFtcGxlMRAwDgYDVQQKDAdFeGFt +cGxlMR4wHAYDVQQDDBVFeGFtcGx1cyBFeGFtcGxpZmljdXMxHTAbBgkqhkiG9w0B +CQEWDmFsaWNlQHRlc3QuY29tMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKUQ3vP0 +im6+perWzGyjCR59IybPVL55ZdoI3z9vIkhjNW3tvts8j3b94DxMs2W1cpTrT/bF +Ufof6miRAl1IG6LhITuWh0/3e2WPQZjgL/hWDjNnO2ssa5pFBDC90UlmqQIDAQAB +o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl +ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUINRMT6uaia+DuzD0UizZwmr6ewkwHwYD +VR0jBBgwFoAUF8OTfUF4T4McbqiA4uruxlKCanUwDQYJKoZIhvcNAQEFBQADYQCJ +kSBK5nabnbmeFs53szVk7KemFq+Ew8BdVqjejSdbTB2wsGM+IknlmYOnqfLn1osW +HBbiw3zv4xb9ahmA68ChbeEyJXj6WKExD4WpAT1sDDAwlqA0fo0KSY/3E0zocs4= +-----END CERTIFICATE-----''' + +test_certificate_wrong_email = '''-----BEGIN CERTIFICATE----- +MIICkzCCAh2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ +MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh +bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w +bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTg0ODEzWhgPMjExMjAzMTYxODQ4MTNa +MGgxCzAJBgNVBAYTAkVYMRAwDgYDVQQIDAdFeGFtcGxlMRAwDgYDVQQKDAdFeGFt +cGxlMRYwFAYDVQQDDA1Xcm9uZyBFYQhtYWlsMR0wGwYJKoZIhvcNAQkBFg53cm9u +Z0B0ZXN0LmNvbTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQClEN7z9IpuvqXq1sxs +owkefSMmz1S+eWXaCN8/byJIYzVt7b7bPI92/eA8TLNltXKU60/2xVH6H+pokQJd +SBui4SE7lodP93tlj0GY4C/4Vg4zZztrLGuaRQQwvdFJZqkCAwEAAaN7MHkwCQYD +VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm +aWNhdGUwHQYDVR0OBBYEFCDUTE+rmomvg7sw9FIs2cJq+nsJMB8GA1UdIwQYMBaA +FBfDk31BeE+DHG6ogOLq7sZSgmp1MA0GCSqGSIb3DQEBBQUAA2EAWjm5DIIpuE6e +v8NFzLjLUTJroCCMxkkCZ/9qRBFIhdHSIjH+m2vgVEfQH3ub44ncVY58WWm/A3xL +0Va/G/jNXbKVQYiUS12/BF917HDZoYmW2nbyVLXMqcbxu5gIln6C +-----END CERTIFICATE-----''' + +test_certificate_with_two_email_addresses = '''-----BEGIN CERTIFICATE----- +MIICsTCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ +MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh +bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w +bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTkwMjUwWhgPMjExMjAzMTYxOTAyNTBa +MIGFMQswCQYDVQQGEwJFWDEQMA4GA1UECAwHRXhhbXBsZTEQMA4GA1UECgwHRXhh +bXBsZTEVMBMGA1UEAwwMU29tZW9uZSBFbHNlMRwwGgYJKoZIhvcNAQkBFg10ZXN0 +QHRlc3QuY29tMR0wGwYJKoZIhvcNAQkBFg5hbGljZUB0ZXN0LmNvbTB8MA0GCSqG +SIb3DQEBAQUAA2sAMGgCYQClEN7z9IpuvqXq1sxsowkefSMmz1S+eWXaCN8/byJI +YzVt7b7bPI92/eA8TLNltXKU60/2xVH6H+pokQJdSBui4SE7lodP93tlj0GY4C/4 +Vg4zZztrLGuaRQQwvdFJZqkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC +AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFCDU +TE+rmomvg7sw9FIs2cJq+nsJMB8GA1UdIwQYMBaAFBfDk31BeE+DHG6ogOLq7sZS +gmp1MA0GCSqGSIb3DQEBBQUAA2EAH+Qaz/Dmd5QqU1pVgPUz2loWQhy+cX6bgubJ +vj3k/SSqj6qjnxryY6QSKWOTRbKhwmRHrrsFRuR2rCZWYZUJ6ohCDYrwVKvs7i2R +VNG3Q7+oqLajmyDfZmHkENQ0rCdc +-----END CERTIFICATE-----''' |