Add tests for SSL auth.

author: Michał Górny <mgorny@gentoo.org> 2013-08-22 21:07:10 +0200
committer: Michał Górny <mgorny@gentoo.org> 2013-08-23 12:49:15 +0200
commit: 1cea7628f7459cbc50b3f37346f3065be20874c6 (patch)
tree: c469f4701c0dbbeba0c49595d26d53775d89dc92 /okupy
parent: runtests: pass remaining arguments as apps to the runner. (diff)
download: identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.tar.gz
identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.tar.bz2
identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.zip
2 files changed, 132 insertions, 0 deletions
diff --git a/okupy/tests/unit/test_auth.py b/okupy/tests/unit/test_auth.py
new file mode 100644
index 0000000..1f3eb1d
--- /dev/null
+++ b/okupy/tests/unit/test_auth.py
@@ -0,0 +1,78 @@
+# vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python
+
+from mockldap import MockLdap
+
+from django.conf import settings
+from django.contrib.auth import authenticate
+from django.test.utils import override_settings
+
+from .. import vars
+from ...common.test_helpers import OkupyTestCase, set_request, ldap_users, set_search_seed
+
+
+class AuthUnitTests(OkupyTestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.mockldap = MockLdap(vars.DIRECTORY)
+
+    def setUp(self):
+        self.mockldap.start()
+        self.ldapobject = self.mockldap[settings.AUTH_LDAP_SERVER_URI]
+
+    def tearDown(self):
+        self.mockldap.stop()
+
+    @override_settings(AUTHENTICATION_BACKENDS=(
+        'okupy.common.auth.SSLCertAuthBackend',))
+    def test_valid_certificate_authenticates_alice(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+        request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')])
+        u = authenticate(request=request)
+        self.assertEqual(u.username, vars.LOGIN_ALICE['username'])
+
+    @override_settings(AUTHENTICATION_BACKENDS=(
+        'okupy.common.auth.SSLCertAuthBackend',))
+    def test_second_email_authenticates_alice(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+        request.META['SSL_CLIENT_RAW_CERT'] = (
+            vars.test_certificate_with_two_email_addresses)
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('test@test.com', 'mail'))([])
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')])
+        u = authenticate(request=request)
+        self.assertEqual(u.username, vars.LOGIN_ALICE['username'])
+
+    @override_settings(AUTHENTICATION_BACKENDS=(
+        'okupy.common.auth.SSLCertAuthBackend',))
+    def test_no_certificate_returns_none(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'NONE'
+
+        u = authenticate(request=request)
+        self.assertIs(u, None)
+
+    @override_settings(AUTHENTICATION_BACKENDS=(
+        'okupy.common.auth.SSLCertAuthBackend',))
+    def test_failed_verification_returns_none(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'FAILURE'
+        request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')])
+        u = authenticate(request=request)
+        self.assertIs(u, None)
+
+    @override_settings(AUTHENTICATION_BACKENDS=(
+        'okupy.common.auth.SSLCertAuthBackend',))
+    def test_unmatched_email_returns_none(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+        request.META['SSL_CLIENT_RAW_CERT'] = vars.test_certificate_wrong_email
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('wrong@test.com', 'mail'))([])
+        u = authenticate(request=request)
+        self.assertIs(u, None)
diff --git a/okupy/tests/vars.py b/okupy/tests/vars.py
index f4edbc1..4d0ba51 100644
--- a/okupy/tests/vars.py
+++ b/okupy/tests/vars.py
@@ -67,3 +67,57 @@ SIGNUP_TESTUSER = {
     'password_origin': 'testpassword',
     'password_verify': 'testpassword',
 }
+
+# SSL certificates
+
+test_certificate = '''-----BEGIN CERTIFICATE-----
+MIICmzCCAiWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ
+MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w
+bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTgzMjIyWhgPMjExMjAzMTYxODMyMjJa
+MHAxCzAJBgNVBAYTAkVYMRAwDgYDVQQIDAdFeGFtcGxlMRAwDgYDVQQKDAdFeGFt
+cGxlMR4wHAYDVQQDDBVFeGFtcGx1cyBFeGFtcGxpZmljdXMxHTAbBgkqhkiG9w0B
+CQEWDmFsaWNlQHRlc3QuY29tMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKUQ3vP0
+im6+perWzGyjCR59IybPVL55ZdoI3z9vIkhjNW3tvts8j3b94DxMs2W1cpTrT/bF
+Ufof6miRAl1IG6LhITuWh0/3e2WPQZjgL/hWDjNnO2ssa5pFBDC90UlmqQIDAQAB
+o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
+ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUINRMT6uaia+DuzD0UizZwmr6ewkwHwYD
+VR0jBBgwFoAUF8OTfUF4T4McbqiA4uruxlKCanUwDQYJKoZIhvcNAQEFBQADYQCJ
+kSBK5nabnbmeFs53szVk7KemFq+Ew8BdVqjejSdbTB2wsGM+IknlmYOnqfLn1osW
+HBbiw3zv4xb9ahmA68ChbeEyJXj6WKExD4WpAT1sDDAwlqA0fo0KSY/3E0zocs4=
+-----END CERTIFICATE-----'''
+
+test_certificate_wrong_email = '''-----BEGIN CERTIFICATE-----
+MIICkzCCAh2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ
+MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w
+bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTg0ODEzWhgPMjExMjAzMTYxODQ4MTNa
+MGgxCzAJBgNVBAYTAkVYMRAwDgYDVQQIDAdFeGFtcGxlMRAwDgYDVQQKDAdFeGFt
+cGxlMRYwFAYDVQQDDA1Xcm9uZyBFYQhtYWlsMR0wGwYJKoZIhvcNAQkBFg53cm9u
+Z0B0ZXN0LmNvbTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQClEN7z9IpuvqXq1sxs
+owkefSMmz1S+eWXaCN8/byJIYzVt7b7bPI92/eA8TLNltXKU60/2xVH6H+pokQJd
+SBui4SE7lodP93tlj0GY4C/4Vg4zZztrLGuaRQQwvdFJZqkCAwEAAaN7MHkwCQYD
+VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFCDUTE+rmomvg7sw9FIs2cJq+nsJMB8GA1UdIwQYMBaA
+FBfDk31BeE+DHG6ogOLq7sZSgmp1MA0GCSqGSIb3DQEBBQUAA2EAWjm5DIIpuE6e
+v8NFzLjLUTJroCCMxkkCZ/9qRBFIhdHSIjH+m2vgVEfQH3ub44ncVY58WWm/A3xL
+0Va/G/jNXbKVQYiUS12/BF917HDZoYmW2nbyVLXMqcbxu5gIln6C
+-----END CERTIFICATE-----'''
+
+test_certificate_with_two_email_addresses = '''-----BEGIN CERTIFICATE-----
+MIICsTCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ
+MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w
+bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTkwMjUwWhgPMjExMjAzMTYxOTAyNTBa
+MIGFMQswCQYDVQQGEwJFWDEQMA4GA1UECAwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEVMBMGA1UEAwwMU29tZW9uZSBFbHNlMRwwGgYJKoZIhvcNAQkBFg10ZXN0
+QHRlc3QuY29tMR0wGwYJKoZIhvcNAQkBFg5hbGljZUB0ZXN0LmNvbTB8MA0GCSqG
+SIb3DQEBAQUAA2sAMGgCYQClEN7z9IpuvqXq1sxsowkefSMmz1S+eWXaCN8/byJI
+YzVt7b7bPI92/eA8TLNltXKU60/2xVH6H+pokQJdSBui4SE7lodP93tlj0GY4C/4
+Vg4zZztrLGuaRQQwvdFJZqkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC
+AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFCDU
+TE+rmomvg7sw9FIs2cJq+nsJMB8GA1UdIwQYMBaAFBfDk31BeE+DHG6ogOLq7sZS
+gmp1MA0GCSqGSIb3DQEBBQUAA2EAH+Qaz/Dmd5QqU1pVgPUz2loWQhy+cX6bgubJ
+vj3k/SSqj6qjnxryY6QSKWOTRbKhwmRHrrsFRuR2rCZWYZUJ6ohCDYrwVKvs7i2R
+VNG3Q7+oqLajmyDfZmHkENQ0rCdc
+-----END CERTIFICATE-----'''
author	Michał Górny <mgorny@gentoo.org>	2013-08-22 21:07:10 +0200
committer	Michał Górny <mgorny@gentoo.org>	2013-08-23 12:49:15 +0200
commit	1cea7628f7459cbc50b3f37346f3065be20874c6 (patch)
tree	c469f4701c0dbbeba0c49595d26d53775d89dc92 /okupy
parent	runtests: pass remaining arguments as apps to the runner. (diff)
download	identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.tar.gz identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.tar.bz2 identity.gentoo.org-1cea7628f7459cbc50b3f37346f3065be20874c6.zip