flask-digestauth/src/flask_digest_auth/test.py

# The Flask HTTP Digest Authentication Project.
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/3

#  Copyright (c) 2022 imacat.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.

"""The test client with HTTP digest authentication enabled.

"""
from secrets import token_urlsafe
from typing import Optional, Literal, Tuple, Dict

from flask import g
from werkzeug.datastructures import Authorization, WWWAuthenticate
from werkzeug.http import parse_set_header
from werkzeug.test import TestResponse, Client as WerkzeugClient

from flask_digest_auth.algo import calc_response, make_password_hash


class Client(WerkzeugClient):
    """The test client with HTTP digest authentication enabled.

    :Example:

    For unittest_:

    ::

        class MyTestCase(flask_testing.TestCase):

            def create_app(self):
                app: Flask = create_app({
                    "SECRET_KEY": token_urlsafe(32),
                    "TESTING": True
                })
                app.test_client_class = Client
                return app

            def test_admin(self):
                response = self.client.get("/admin")
                self.assertEqual(response.status_code, 401)
                response = self.client.get(
                    "/admin", digest_auth=(USERNAME, PASSWORD))
                self.assertEqual(response.status_code, 200)

    For pytest_:

    ::

        @pytest.fixture()
        def app():
            app: Flask = create_app({
                "SECRET_KEY": token_urlsafe(32),
                "TESTING": True
            })
            app.test_client_class = Client
            yield app

        @pytest.fixture()
        def client(app):
            return app.test_client()

        def test_admin(app: Flask, client: Client):
            with app.app_context():
                response = client.get("/admin")
                assert response.status_code == 401
                response = client.get(
                    "/admin", digest_auth=(USERNAME, PASSWORD))
                assert response.status_code == 200

    .. _unittest: https://docs.python.org/3/library/unittest.html
    .. _pytest: https://pytest.org
    """

    def open(self, *args, digest_auth: Optional[Tuple[str, str]] = None,
             **kwargs) -> TestResponse:
        """Opens a request.

        :param args: The arguments.
        :param digest_auth: The (*username*, *password*) tuple for the HTTP
            digest authentication.
        :param kwargs: The keyword arguments.
        :return: The response.
        """
        response: TestResponse = super(Client, self).open(*args, **kwargs)
        www_authenticate: WWWAuthenticate = response.www_authenticate
        if not (response.status_code == 401
                and www_authenticate.type == "digest"
                and digest_auth is not None):
            return response
        if hasattr(g, "_login_user"):
            delattr(g, "_login_user")
        auth_data: Authorization = self.__class__.make_authorization(
            www_authenticate, args[0], digest_auth[0], digest_auth[1])
        response = super(Client, self).open(*args, auth=auth_data, **kwargs)
        return response

    @staticmethod
    def make_authorization(www_authenticate: WWWAuthenticate, uri: str,
                           username: str, password: str) -> Authorization:
        """Composes and returns the request authorization.

        :param www_authenticate: The ``WWW-Authenticate`` response.
        :param uri: The request URI.
        :param username: The username.
        :param password: The password.
        :return: The request authorization.
        """
        qop: Optional[Literal["auth", "auth-int"]] = None
        if "auth" in parse_set_header(www_authenticate.get("qop")):
            qop = "auth"

        cnonce: Optional[str] = None
        if qop is not None or www_authenticate.algorithm == "MD5-sess":
            cnonce = token_urlsafe(8)
        nc: Optional[str] = None
        count: int = 1
        if qop is not None:
            nc: str = hex(count)[2:].zfill(8)

        expected: str = calc_response(
            method="GET", uri=uri,
            password_hash=make_password_hash(www_authenticate.realm,
                                             username, password),
            nonce=www_authenticate.nonce, qop=qop,
            algorithm=www_authenticate.algorithm, cnonce=cnonce, nc=nc,
            body=None)

        data: Dict[str, str] = {
            "username": username, "realm": www_authenticate.realm,
            "nonce": www_authenticate.nonce, "uri": uri, "response": expected}
        if www_authenticate.algorithm is not None:
            data["algorithm"] = www_authenticate.algorithm
        if cnonce is not None:
            data["cnonce"] = cnonce
        if www_authenticate.opaque is not None:
            data["opaque"] = www_authenticate.opaque
        if qop is not None:
            data["qop"] = qop
        if nc is not None:
            data["nc"] = nc

        return Authorization("digest", data=data)
Added the initial version that works. 2022-11-23 15:08:30 +08:00			`# The Flask HTTP Digest Authentication Project.`
			`# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/3`

			`# Copyright (c) 2022 imacat.`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`"""The test client with HTTP digest authentication enabled.`

			`"""`
			`from secrets import token_urlsafe`
Replaced importing the "typing" module as "t" with importing the individual names in the "typing" module. We do not have as many names to import. This is also to be consistent with the practices of most major and standard packages and examples. 2023-04-26 23:15:13 +08:00			`from typing import Optional, Literal, Tuple, Dict`
Added the initial version that works. 2022-11-23 15:08:30 +08:00
			`from flask import g`
			`from werkzeug.datastructures import Authorization, WWWAuthenticate`
Revised the code that handles the "qop" and "stale" parameters of the "WWW-Authenticate" response HTTP header for the upcoming Werkzeug 2.4. 2023-05-03 06:56:31 +08:00			`from werkzeug.http import parse_set_header`
Added the initial version that works. 2022-11-23 15:08:30 +08:00			`from werkzeug.test import TestResponse, Client as WerkzeugClient`

			`from flask_digest_auth.algo import calc_response, make_password_hash`


			`class Client(WerkzeugClient):`
Revised the documentation. 2022-12-06 21:54:10 +08:00			`"""The test client with HTTP digest authentication enabled.`

Revised the documentations. 2022-12-06 23:50:46 +08:00			`:Example:`

			`For unittest_:`
Revised the documentation. 2022-12-06 21:54:10 +08:00
			`::`

			`class MyTestCase(flask_testing.TestCase):`

			`def create_app(self):`
			`app: Flask = create_app({`
			`"SECRET_KEY": token_urlsafe(32),`
			`"TESTING": True`
			`})`
			`app.test_client_class = Client`
			`return app`

			`def test_admin(self):`
			`response = self.client.get("/admin")`
			`self.assertEqual(response.status_code, 401)`
			`response = self.client.get(`
Replaced "my_user" and "my_pass" with USERNAME and PASSWORD in the examples of the test client in the documentation, to avoid GitGuardian from detecting them as real passwords. 2022-12-07 18:55:52 +08:00			`"/admin", digest_auth=(USERNAME, PASSWORD))`
Revised the documentation. 2022-12-06 21:54:10 +08:00			`self.assertEqual(response.status_code, 200)`

Revised the documentations. 2022-12-06 23:50:46 +08:00			`For pytest_:`
Revised the documentation. 2022-12-06 21:54:10 +08:00
			`::`

			`@pytest.fixture()`
			`def app():`
			`app: Flask = create_app({`
			`"SECRET_KEY": token_urlsafe(32),`
			`"TESTING": True`
			`})`
			`app.test_client_class = Client`
			`yield app`

			`@pytest.fixture()`
			`def client(app):`
			`return app.test_client()`

			`def test_admin(app: Flask, client: Client):`
			`with app.app_context():`
Fixed the documentation on the pytest example. 2022-12-06 22:46:52 +08:00			`response = client.get("/admin")`
Revised the documentation. 2022-12-06 21:54:10 +08:00			`assert response.status_code == 401`
Fixed the documentation on the pytest example. 2022-12-06 22:46:52 +08:00			`response = client.get(`
Replaced "my_user" and "my_pass" with USERNAME and PASSWORD in the examples of the test client in the documentation, to avoid GitGuardian from detecting them as real passwords. 2022-12-07 18:55:52 +08:00			`"/admin", digest_auth=(USERNAME, PASSWORD))`
Revised the documentation. 2022-12-06 21:54:10 +08:00			`assert response.status_code == 200`
Revised the documentations. 2022-12-06 23:50:46 +08:00
			`.. _unittest: https://docs.python.org/3/library/unittest.html`
			`.. _pytest: https://pytest.org`
Revised the documentation. 2022-12-06 21:54:10 +08:00			`"""`
Added the initial version that works. 2022-11-23 15:08:30 +08:00
Replaced importing the "typing" module as "t" with importing the individual names in the "typing" module. We do not have as many names to import. This is also to be consistent with the practices of most major and standard packages and examples. 2023-04-26 23:15:13 +08:00			`def open(self, *args, digest_auth: Optional[Tuple[str, str]] = None,`
Added the initial version that works. 2022-11-23 15:08:30 +08:00			`**kwargs) -> TestResponse:`
			`"""Opens a request.`

			`:param args: The arguments.`
Revised the documentation for digest_auth parameter of the open method in the test client, to be clear. 2022-12-07 18:59:41 +08:00			`:param digest_auth: The (username, password) tuple for the HTTP`
Revised the documentation of the Client class and the calc_response function. 2022-12-06 18:01:01 +08:00			`digest authentication.`
Added the initial version that works. 2022-11-23 15:08:30 +08:00			`:param kwargs: The keyword arguments.`
			`:return: The response.`
			`"""`
			`response: TestResponse = super(Client, self).open(args, *kwargs)`
			`www_authenticate: WWWAuthenticate = response.www_authenticate`
			`if not (response.status_code == 401`
			`and www_authenticate.type == "digest"`
			`and digest_auth is not None):`
			`return response`
			`if hasattr(g, "_login_user"):`
			`delattr(g, "_login_user")`
Changed the make_authorization method from private to public in the test client. 2022-11-24 18:45:11 +08:00			`auth_data: Authorization = self.__class__.make_authorization(`
Added the initial version that works. 2022-11-23 15:08:30 +08:00			`www_authenticate, args[0], digest_auth[0], digest_auth[1])`
			`response = super(Client, self).open(args, auth=auth_data, *kwargs)`
			`return response`

Moved the _get_req_auth function into the test client class, and renamed it to __make_authorization. 2022-11-24 04:16:36 +08:00			`@staticmethod`
Changed the make_authorization method from private to public in the test client. 2022-11-24 18:45:11 +08:00			`def make_authorization(www_authenticate: WWWAuthenticate, uri: str,`
			`username: str, password: str) -> Authorization:`
Moved the _get_req_auth function into the test client class, and renamed it to __make_authorization. 2022-11-24 04:16:36 +08:00			`"""Composes and returns the request authorization.`
Added the initial version that works. 2022-11-23 15:08:30 +08:00
Revised the documentation of the Client class and the calc_response function. 2022-12-06 18:01:01 +08:00			:param www_authenticate: The ``WWW-Authenticate`` response.
Moved the _get_req_auth function into the test client class, and renamed it to __make_authorization. 2022-11-24 04:16:36 +08:00			`:param uri: The request URI.`
			`:param username: The username.`
			`:param password: The password.`
			`:return: The request authorization.`
			`"""`
Replaced importing the "typing" module as "t" with importing the individual names in the "typing" module. We do not have as many names to import. This is also to be consistent with the practices of most major and standard packages and examples. 2023-04-26 23:15:13 +08:00			`qop: Optional[Literal["auth", "auth-int"]] = None`
Revised the code that handles the "qop" and "stale" parameters of the "WWW-Authenticate" response HTTP header for the upcoming Werkzeug 2.4. 2023-05-03 06:56:31 +08:00			`if "auth" in parse_set_header(www_authenticate.get("qop")):`
Revised the code in the make_authorization method of the test client. 2022-11-29 21:53:16 +08:00			`qop = "auth"`
Moved the _get_req_auth function into the test client class, and renamed it to __make_authorization. 2022-11-24 04:16:36 +08:00
Replaced importing the "typing" module as "t" with importing the individual names in the "typing" module. We do not have as many names to import. This is also to be consistent with the practices of most major and standard packages and examples. 2023-04-26 23:15:13 +08:00			`cnonce: Optional[str] = None`
Moved the _get_req_auth function into the test client class, and renamed it to __make_authorization. 2022-11-24 04:16:36 +08:00			`if qop is not None or www_authenticate.algorithm == "MD5-sess":`
			`cnonce = token_urlsafe(8)`
Replaced importing the "typing" module as "t" with importing the individual names in the "typing" module. We do not have as many names to import. This is also to be consistent with the practices of most major and standard packages and examples. 2023-04-26 23:15:13 +08:00			`nc: Optional[str] = None`
Moved the _get_req_auth function into the test client class, and renamed it to __make_authorization. 2022-11-24 04:16:36 +08:00			`count: int = 1`
			`if qop is not None:`
			`nc: str = hex(count)[2:].zfill(8)`

			`expected: str = calc_response(`
			`method="GET", uri=uri,`
			`password_hash=make_password_hash(www_authenticate.realm,`
			`username, password),`
			`nonce=www_authenticate.nonce, qop=qop,`
			`algorithm=www_authenticate.algorithm, cnonce=cnonce, nc=nc,`
			`body=None)`

Replaced importing the "typing" module as "t" with importing the individual names in the "typing" module. We do not have as many names to import. This is also to be consistent with the practices of most major and standard packages and examples. 2023-04-26 23:15:13 +08:00			`data: Dict[str, str] = {`
Moved the _get_req_auth function into the test client class, and renamed it to __make_authorization. 2022-11-24 04:16:36 +08:00			`"username": username, "realm": www_authenticate.realm,`
			`"nonce": www_authenticate.nonce, "uri": uri, "response": expected}`
			`if www_authenticate.algorithm is not None:`
			`data["algorithm"] = www_authenticate.algorithm`
			`if cnonce is not None:`
			`data["cnonce"] = cnonce`
			`if www_authenticate.opaque is not None:`
			`data["opaque"] = www_authenticate.opaque`
			`if qop is not None:`
			`data["qop"] = qop`
			`if nc is not None:`
			`data["nc"] = nc`

			`return Authorization("digest", data=data)`