Compare commits
30 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| da466b74f4 | |||
| 76ae576717 | |||
| 9da7cec1f5 | |||
| 2d0a8dbcd8 | |||
| a3bc807192 | |||
| 848971709a | |||
| 409b04af47 | |||
| a8c34eb367 | |||
| cc96987a18 | |||
| 1f657568bb | |||
| 320cfe1700 | |||
| a5188c9aa1 | |||
| b62b98bd51 | |||
| 877f02fe82 | |||
| bc888195ad | |||
| 8e69733cf6 | |||
| f04ea7ac18 | |||
| 15ea650ddd | |||
| 5b255b6504 | |||
| 919b8d0dc3 | |||
| 604ed0be27 | |||
| 9e0a06bd4c | |||
| e861cae2e0 | |||
| 264ba158ee | |||
| d1fd0c3693 | |||
| bc15a578cb | |||
| cedff68247 | |||
| 769ca7dddd | |||
| 33eb81f368 | |||
| 5faf51c49b |
41
.readthedocs.yaml
Normal file
41
.readthedocs.yaml
Normal file
@ -0,0 +1,41 @@
|
||||
# The Flask HTTP Digest Authentication Project.
|
||||
# Author: imacat@mail.imacat.idv.tw (imacat), 2023/4/5
|
||||
|
||||
# Copyright (c) 2023 imacat.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# .readthedocs.yaml
|
||||
# Read the Docs configuration file
|
||||
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
|
||||
|
||||
# Required
|
||||
version: 2
|
||||
|
||||
# Set the version of Python and other tools you might need
|
||||
build:
|
||||
os: ubuntu-22.04
|
||||
tools:
|
||||
python: "3.8"
|
||||
|
||||
# Build documentation in the docs/ directory with Sphinx
|
||||
|
||||
# If using Sphinx, optionally build your docs in additional formats such as PDF
|
||||
formats: all
|
||||
|
||||
# Optionally declare the Python requirements required to build your docs
|
||||
python:
|
||||
install:
|
||||
- method: pip
|
||||
path: .
|
||||
- requirements: docs/requirements.txt
|
||||
@ -15,8 +15,7 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
include docs/*
|
||||
include docs/source/*
|
||||
include docs/source/_static/*
|
||||
include docs/source/_templates/*
|
||||
include tests/*
|
||||
recursive-include docs *
|
||||
recursive-exclude docs/build *
|
||||
recursive-include tests *
|
||||
recursive-exclude tests *.pyc
|
||||
|
||||
344
README.rst
344
README.rst
@ -12,8 +12,6 @@ views.
|
||||
|
||||
HTTP Digest Authentication is specified in `RFC 2617`_.
|
||||
|
||||
Refer to the full `Flask-DigestAuth readthedocs documentation`_.
|
||||
|
||||
|
||||
Why HTTP Digest Authentication?
|
||||
-------------------------------
|
||||
@ -52,345 +50,16 @@ You may also install the latest source from the
|
||||
pip install git+https://github.com/imacat/flask-digestauth.git
|
||||
|
||||
|
||||
Configuration
|
||||
Documentation
|
||||
=============
|
||||
|
||||
Flask-DigestAuth takes the configuration ``DIGEST_AUTH_REALM`` as the
|
||||
realm. The default realm is ``Login Required``.
|
||||
Refer to the `documentation on Read the Docs`_.
|
||||
|
||||
|
||||
Setting the Password
|
||||
====================
|
||||
Change Log
|
||||
==========
|
||||
|
||||
The password hash of the HTTP Digest Authentication is composed of the
|
||||
realm, the username, and the password. Example for setting the
|
||||
password:
|
||||
|
||||
::
|
||||
|
||||
from flask_digest_auth import make_password_hash
|
||||
|
||||
user.password = make_password_hash(realm, username, password)
|
||||
|
||||
The username is part of the hash. If the user changes their username,
|
||||
you need to ask their password, to generate and store the new password
|
||||
hash.
|
||||
|
||||
|
||||
Flask-DigestAuth Alone
|
||||
======================
|
||||
|
||||
Flask-DigestAuth can authenticate the users alone.
|
||||
|
||||
|
||||
Simple Applications with Flask-DigestAuth Alone
|
||||
-----------------------------------------------
|
||||
|
||||
In your ``my_app.py``:
|
||||
|
||||
::
|
||||
|
||||
from flask import Flask, request, redirect
|
||||
from flask_digest_auth import DigestAuth
|
||||
|
||||
app: flask = Flask(__name__)
|
||||
... (Configure the Flask application) ...
|
||||
|
||||
auth: DigestAuth = DigestAuth()
|
||||
auth.init_app(app)
|
||||
|
||||
@auth.register_get_password
|
||||
def get_password_hash(username: str) -> t.Optional[str]:
|
||||
... (Load the password hash) ...
|
||||
|
||||
@auth.register_get_user
|
||||
def get_user(username: str) -> t.Optional[t.Any]:
|
||||
... (Load the user) ...
|
||||
|
||||
@app.get("/admin")
|
||||
@auth.login_required
|
||||
def admin():
|
||||
return f"Hello, {g.user.username}!"
|
||||
|
||||
@app.post("/logout")
|
||||
@auth.login_required
|
||||
def logout():
|
||||
auth.logout()
|
||||
return redirect(request.form.get("next"))
|
||||
|
||||
|
||||
Larger Applications with ``create_app()`` with Flask-DigestAuth Alone
|
||||
---------------------------------------------------------------------
|
||||
|
||||
In your ``my_app/__init__.py``:
|
||||
|
||||
::
|
||||
|
||||
from flask import Flask
|
||||
from flask_digest_auth import DigestAuth
|
||||
|
||||
auth: DigestAuth = DigestAuth()
|
||||
|
||||
def create_app(test_config = None) -> Flask:
|
||||
app: flask = Flask(__name__)
|
||||
... (Configure the Flask application) ...
|
||||
|
||||
auth.init_app(app)
|
||||
|
||||
@auth.register_get_password
|
||||
def get_password_hash(username: str) -> t.Optional[str]:
|
||||
... (Load the password hash) ...
|
||||
|
||||
@auth.register_get_user
|
||||
def get_user(username: str) -> t.Optional[t.Any]:
|
||||
... (Load the user) ...
|
||||
|
||||
return app
|
||||
|
||||
In your ``my_app/views.py``:
|
||||
|
||||
::
|
||||
|
||||
from my_app import auth
|
||||
from flask import Flask, Blueprint, request, redirect
|
||||
|
||||
bp = Blueprint("admin", __name__, url_prefix="/admin")
|
||||
|
||||
@bp.get("/admin")
|
||||
@auth.login_required
|
||||
def admin():
|
||||
return f"Hello, {g.user.username}!"
|
||||
|
||||
@app.post("/logout")
|
||||
@auth.login_required
|
||||
def logout():
|
||||
auth.logout()
|
||||
return redirect(request.form.get("next"))
|
||||
|
||||
def init_app(app: Flask) -> None:
|
||||
app.register_blueprint(bp)
|
||||
|
||||
|
||||
|
||||
Flask-Login Integration
|
||||
=======================
|
||||
|
||||
Flask-DigestAuth works with Flask-Login_. You can write a Flask
|
||||
module that requires log in, without specifying how to log in. The
|
||||
application can use either HTTP Digest Authentication, or the log in
|
||||
forms, as needed.
|
||||
|
||||
To use Flask-Login with Flask-DigestAuth,
|
||||
``login_manager.init_app(app)`` must be called before
|
||||
``auth.init_app(app)``.
|
||||
|
||||
The currently logged-in user can be retrieved at
|
||||
``flask_login.current_user``, if any.
|
||||
|
||||
The views only depend on Flask-Login, but not the Flask-DigestAuth.
|
||||
You can change the actual authentication mechanism without changing
|
||||
the views.
|
||||
|
||||
|
||||
Simple Applications with Flask-Login Integration
|
||||
------------------------------------------------
|
||||
|
||||
In your ``my_app.py``:
|
||||
|
||||
::
|
||||
|
||||
import flask_login
|
||||
from flask import Flask, request, redirect
|
||||
from flask_digest_auth import DigestAuth
|
||||
|
||||
app: flask = Flask(__name__)
|
||||
... (Configure the Flask application) ...
|
||||
|
||||
login_manager: flask_login.LoginManager = flask_login.LoginManager()
|
||||
login_manager.init_app(app)
|
||||
|
||||
@login_manager.user_loader
|
||||
def load_user(user_id: str) -> t.Optional[User]:
|
||||
... (Load the user with the username) ...
|
||||
|
||||
auth: DigestAuth = DigestAuth()
|
||||
auth.init_app(app)
|
||||
|
||||
@auth.register_get_password
|
||||
def get_password_hash(username: str) -> t.Optional[str]:
|
||||
... (Load the password hash) ...
|
||||
|
||||
@app.get("/admin")
|
||||
@flask_login.login_required
|
||||
def admin():
|
||||
return f"Hello, {flask_login.current_user.get_id()}!"
|
||||
|
||||
@app.post("/logout")
|
||||
@flask_login.login_required
|
||||
def logout():
|
||||
auth.logout()
|
||||
# Do not call flask_login.logout_user()
|
||||
return redirect(request.form.get("next"))
|
||||
|
||||
|
||||
Larger Applications with ``create_app()`` with Flask-Login Integration
|
||||
----------------------------------------------------------------------
|
||||
|
||||
In your ``my_app/__init__.py``:
|
||||
|
||||
::
|
||||
|
||||
from flask import Flask
|
||||
from flask_digest_auth import DigestAuth
|
||||
from flask_login import LoginManager
|
||||
|
||||
auth: DigestAuth = DigestAuth()
|
||||
|
||||
def create_app(test_config = None) -> Flask:
|
||||
app: flask = Flask(__name__)
|
||||
... (Configure the Flask application) ...
|
||||
|
||||
login_manager: LoginManager = LoginManager()
|
||||
login_manager.init_app(app)
|
||||
|
||||
@login_manager.user_loader
|
||||
def load_user(user_id: str) -> t.Optional[User]:
|
||||
... (Load the user with the username) ...
|
||||
|
||||
auth.init_app(app)
|
||||
|
||||
@auth.register_get_password
|
||||
def get_password_hash(username: str) -> t.Optional[str]:
|
||||
... (Load the password hash) ...
|
||||
|
||||
return app
|
||||
|
||||
In your ``my_app/views.py``:
|
||||
|
||||
::
|
||||
|
||||
import flask_login
|
||||
from flask import Flask, Blueprint, request, redirect
|
||||
from my_app import auth
|
||||
|
||||
bp = Blueprint("admin", __name__, url_prefix="/admin")
|
||||
|
||||
@bp.get("/admin")
|
||||
@flask_login.login_required
|
||||
def admin():
|
||||
return f"Hello, {flask_login.current_user.get_id()}!"
|
||||
|
||||
@app.post("/logout")
|
||||
@flask_login.login_required
|
||||
def logout():
|
||||
auth.logout()
|
||||
# Do not call flask_login.logout_user()
|
||||
return redirect(request.form.get("next"))
|
||||
|
||||
def init_app(app: Flask) -> None:
|
||||
app.register_blueprint(bp)
|
||||
|
||||
The views only depend on Flask-Login, but not the actual
|
||||
authentication mechanism. You can change the actual authentication
|
||||
mechanism without changing the views.
|
||||
|
||||
|
||||
Session Integration
|
||||
===================
|
||||
|
||||
Flask-DigestAuth features session integration. The user log in
|
||||
is remembered in the session. The authentication information is not
|
||||
requested again. This is different to the practice of the HTTP Digest
|
||||
Authentication, but is convenient for the log in accounting.
|
||||
|
||||
|
||||
Log In Bookkeeping
|
||||
==================
|
||||
|
||||
You can register a callback to run when the user logs in, for ex.,
|
||||
logging the log in event, adding the log in counter, etc.
|
||||
|
||||
::
|
||||
|
||||
@auth.register_on_login
|
||||
def on_login(user: User) -> None:
|
||||
user.visits = user.visits + 1
|
||||
|
||||
|
||||
Log Out
|
||||
=======
|
||||
|
||||
Flask-DigestAuth supports log out. The user will be prompted for the
|
||||
new username and password.
|
||||
|
||||
|
||||
Test Client
|
||||
===========
|
||||
|
||||
Flask-DigestAuth comes with a test client that supports HTTP digest
|
||||
authentication.
|
||||
|
||||
|
||||
A unittest Test Case
|
||||
--------------------
|
||||
|
||||
::
|
||||
|
||||
from flask import Flask
|
||||
from flask_digest_auth import Client
|
||||
from flask_testing import TestCase
|
||||
from my_app import create_app
|
||||
|
||||
class MyTestCase(TestCase):
|
||||
|
||||
def create_app(self):
|
||||
app: Flask = create_app({
|
||||
"TESTING": True,
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"DIGEST_AUTH_REALM": "admin",
|
||||
})
|
||||
app.test_client_class = Client
|
||||
return app
|
||||
|
||||
def test_admin(self):
|
||||
response = self.client.get("/admin")
|
||||
self.assertEqual(response.status_code, 401)
|
||||
response = self.client.get(
|
||||
"/admin", digest_auth=(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
|
||||
A pytest Test
|
||||
-------------
|
||||
|
||||
::
|
||||
|
||||
import pytest
|
||||
from flask import Flask
|
||||
from flask_digest_auth import Client
|
||||
from my_app import create_app
|
||||
|
||||
@pytest.fixture()
|
||||
def app():
|
||||
app: Flask = create_app({
|
||||
"TESTING": True,
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"DIGEST_AUTH_REALM": "admin",
|
||||
})
|
||||
app.test_client_class = Client
|
||||
yield app
|
||||
|
||||
@pytest.fixture()
|
||||
def client(app):
|
||||
return app.test_client()
|
||||
|
||||
def test_admin(app: Flask, client: Client):
|
||||
with app.app_context():
|
||||
response = client.get("/admin")
|
||||
assert response.status_code == 401
|
||||
response = client.get(
|
||||
"/admin", digest_auth=(USERNAME, PASSWORD))
|
||||
assert response.status_code == 200
|
||||
Refer to the `change log`_.
|
||||
|
||||
|
||||
Copyright
|
||||
@ -422,5 +91,6 @@ Authors
|
||||
.. _RFC 2617: https://www.rfc-editor.org/rfc/rfc2617
|
||||
.. _Flask: https://flask.palletsprojects.com
|
||||
.. _Flask-DigestAuth GitHub repository: https://github.com/imacat/flask-digestauth
|
||||
.. _Flask-DigestAuth readthedocs documentation: https://flask-digestauth.readthedocs.io
|
||||
.. _Flask-Login: https://flask-login.readthedocs.io
|
||||
.. _documentation on Read the Docs: https://flask-digestauth.readthedocs.io
|
||||
.. _change log: https://flask-digestauth.readthedocs.io/en/latest/changelog.html
|
||||
|
||||
@ -1 +1 @@
|
||||
flask
|
||||
sphinx_rtd_theme
|
||||
|
||||
161
docs/source/changelog.rst
Normal file
161
docs/source/changelog.rst
Normal file
@ -0,0 +1,161 @@
|
||||
Change Log
|
||||
==========
|
||||
|
||||
|
||||
Version 0.7.1
|
||||
-------------
|
||||
|
||||
Released 2024/12/9
|
||||
|
||||
Fix test cases for compatibility with httpx 0.28.0.
|
||||
|
||||
|
||||
Version 0.7.0
|
||||
-------------
|
||||
|
||||
Released 2023/10/8
|
||||
|
||||
* Removed the test client. You should use httpx instead of Flask-Testing
|
||||
when writing automatic tests. Flask-Testing is not maintained for more
|
||||
than 3 years, and is not compatible with Flask 3 now.
|
||||
* Revised to skip the tests when Flask-Login is not compatible with Werkzeug.
|
||||
|
||||
|
||||
Version 0.6.2
|
||||
-------------
|
||||
|
||||
Released 2023/6/10
|
||||
|
||||
* Changed logging from STDERR to the Flask logger.
|
||||
* Test case updates:
|
||||
* Added missing documentation.
|
||||
* Changed properties from public to private.
|
||||
* Disabled logging.
|
||||
|
||||
|
||||
Version 0.6.1
|
||||
-------------
|
||||
|
||||
Released 2023/5/3
|
||||
|
||||
* Revised the code for the upcoming Werkzeug 2.4.
|
||||
|
||||
|
||||
Version 0.6.0
|
||||
-------------
|
||||
|
||||
Released 2023/4/26
|
||||
|
||||
* Updated the minimal Python version to 3.8.
|
||||
* Switched from ``setup.cfg`` to ``pyproject.toml``.
|
||||
* Added the change log.
|
||||
* Simplified ``README.rst``.
|
||||
|
||||
|
||||
Version 0.5.0
|
||||
-------------
|
||||
|
||||
Released 2023/1/6
|
||||
|
||||
* Added the ``DIGEST_AUTH_REALM`` configuration variable as the
|
||||
recommended way to set the authentication realm.
|
||||
* Changed the default realm from an empty string to
|
||||
``Login Required``.
|
||||
|
||||
|
||||
Version 0.4.0
|
||||
-------------
|
||||
|
||||
Released 2023/1/4
|
||||
|
||||
* Changed the package name from ``flask-digest-auth`` to
|
||||
``Flask-DigestAuth``, according to the Flask recommended extension
|
||||
guidelines
|
||||
https://flask.palletsprojects.com/en/latest/extensiondev/ .
|
||||
* Replaced ``app.digest_auth`` with ``app.extensions["digest-auth"]``
|
||||
to store the ``DigestAuth`` instance.
|
||||
* Replaced ``auth.app`` with ``current_app``, to prevent circular
|
||||
imports.
|
||||
|
||||
|
||||
Version 0.3.1
|
||||
-------------
|
||||
|
||||
Released 2022/12/29
|
||||
|
||||
Fixed the missing authentication state with disabled users.
|
||||
|
||||
|
||||
Version 0.3.0
|
||||
-------------
|
||||
|
||||
Released 2022/12/7
|
||||
|
||||
Changed the visibility of several methods and properties of the
|
||||
DigestAuth class that should be private to private.
|
||||
|
||||
|
||||
Version 0.2.4
|
||||
-------------
|
||||
|
||||
Released 2022/12/6
|
||||
|
||||
Fixed the pytest example in the documentation.
|
||||
|
||||
|
||||
Version 0.2.3
|
||||
-------------
|
||||
|
||||
Released 2022/12/6
|
||||
|
||||
Fixed the dependencies for the documentation hosted on Read the Docs.
|
||||
|
||||
|
||||
Version 0.2.2
|
||||
-------------
|
||||
|
||||
Released 2022/12/6
|
||||
|
||||
Added the Sphinx documentation, and hosted the documentation on
|
||||
Read the Docs.
|
||||
|
||||
|
||||
Version 0.2.1
|
||||
-------------
|
||||
|
||||
Released 2022/12/6
|
||||
|
||||
Various fixes, with the help from SonarQube.
|
||||
|
||||
|
||||
Version 0.2.0
|
||||
-------------
|
||||
|
||||
Released 2022/11/27
|
||||
|
||||
* Added log out support. User can log out.
|
||||
* Added on-login event handler. You can do some accounting when the
|
||||
user logs in.
|
||||
|
||||
This release is written in Sydney and on the international flight,
|
||||
and released in Taipei.
|
||||
|
||||
|
||||
Version 0.1.1
|
||||
-------------
|
||||
|
||||
Released 2022/11/24
|
||||
|
||||
Changed the minimal Python version to 3.7.
|
||||
|
||||
Released at Sydney, Australia on vacation.
|
||||
|
||||
|
||||
Version 0.1.0
|
||||
-------------
|
||||
|
||||
Released 2022/11/24
|
||||
|
||||
The initial release.
|
||||
|
||||
Released at Sydney, Australia on vacation.
|
||||
@ -6,6 +6,7 @@ import os
|
||||
import sys
|
||||
|
||||
sys.path.insert(0, os.path.abspath('../../src/'))
|
||||
import flask_digest_auth
|
||||
|
||||
# -- Project information -----------------------------------------------------
|
||||
# https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
|
||||
@ -13,7 +14,7 @@ sys.path.insert(0, os.path.abspath('../../src/'))
|
||||
project = 'Flask-DigestAuth'
|
||||
copyright = '2022-2023, imacat'
|
||||
author = 'imacat'
|
||||
release = '0.5.0'
|
||||
release = flask_digest_auth.VERSION
|
||||
|
||||
# -- General configuration ---------------------------------------------------
|
||||
# https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
|
||||
|
||||
@ -199,70 +199,3 @@ In your ``my_app/views.py``:
|
||||
The views only depend on Flask-Login, but not the actual
|
||||
authentication mechanism. You can change the actual authentication
|
||||
mechanism without changing the views.
|
||||
|
||||
|
||||
.. _example-unittest:
|
||||
|
||||
A unittest Test Case
|
||||
--------------------
|
||||
|
||||
::
|
||||
|
||||
from flask import Flask
|
||||
from flask_digest_auth import Client
|
||||
from flask_testing import TestCase
|
||||
from my_app import create_app
|
||||
|
||||
class MyTestCase(TestCase):
|
||||
|
||||
def create_app(self):
|
||||
app: Flask = create_app({
|
||||
"TESTING": True,
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"DIGEST_AUTH_REALM": "admin",
|
||||
})
|
||||
app.test_client_class = Client
|
||||
return app
|
||||
|
||||
def test_admin(self):
|
||||
response = self.client.get("/admin")
|
||||
self.assertEqual(response.status_code, 401)
|
||||
response = self.client.get(
|
||||
"/admin", digest_auth=(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
|
||||
|
||||
.. _example-pytest:
|
||||
|
||||
A pytest Test
|
||||
-------------
|
||||
|
||||
::
|
||||
|
||||
import pytest
|
||||
from flask import Flask
|
||||
from flask_digest_auth import Client
|
||||
from my_app import create_app
|
||||
|
||||
@pytest.fixture()
|
||||
def app():
|
||||
app: Flask = create_app({
|
||||
"TESTING": True,
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"DIGEST_AUTH_REALM": "admin",
|
||||
})
|
||||
app.test_client_class = Client
|
||||
yield app
|
||||
|
||||
@pytest.fixture()
|
||||
def client(app):
|
||||
return app.test_client()
|
||||
|
||||
def test_admin(app: Flask, client: Client):
|
||||
with app.app_context():
|
||||
response = client.get("/admin")
|
||||
assert response.status_code == 401
|
||||
response = client.get(
|
||||
"/admin", digest_auth=(USERNAME, PASSWORD))
|
||||
assert response.status_code == 200
|
||||
|
||||
@ -20,14 +20,6 @@ flask\_digest\_auth.auth module
|
||||
:undoc-members:
|
||||
:show-inheritance:
|
||||
|
||||
flask\_digest\_auth.test module
|
||||
-------------------------------
|
||||
|
||||
.. automodule:: flask_digest_auth.test
|
||||
:members:
|
||||
:undoc-members:
|
||||
:show-inheritance:
|
||||
|
||||
Module contents
|
||||
---------------
|
||||
|
||||
|
||||
@ -19,6 +19,7 @@ HTTP Digest Authentication is specified in `RFC 2617`_.
|
||||
intro
|
||||
flask_digest_auth
|
||||
examples
|
||||
changelog
|
||||
|
||||
|
||||
|
||||
|
||||
@ -137,17 +137,6 @@ new username and password.
|
||||
See :meth:`flask_digest_auth.auth.DigestAuth.logout`.
|
||||
|
||||
|
||||
Test Client
|
||||
-----------
|
||||
|
||||
Flask-DigestAuth comes with a test client that supports HTTP digest
|
||||
authentication.
|
||||
|
||||
See :class:`flask_digest_auth.test.Client`.
|
||||
|
||||
Also see :ref:`example-unittest` and :ref:`example-pytest`.
|
||||
|
||||
|
||||
.. _HTTP Digest Authentication: https://en.wikipedia.org/wiki/Digest_access_authentication
|
||||
.. _RFC 2617: https://www.rfc-editor.org/rfc/rfc2617
|
||||
.. _Flask: https://flask.palletsprojects.com
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
# The Flask HTTP Digest Authentication Project.
|
||||
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/23
|
||||
|
||||
# Copyright (c) 2022 imacat.
|
||||
# Copyright (c) 2022-2024 imacat.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@ -15,6 +15,42 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
[project]
|
||||
name = "Flask-DigestAuth"
|
||||
dynamic = ["version"]
|
||||
description = "The Flask HTTP Digest Authentication project."
|
||||
readme = "README.rst"
|
||||
requires-python = ">=3.8"
|
||||
authors = [
|
||||
{name = "imacat", email = "imacat@mail.imacat.idv.tw"},
|
||||
]
|
||||
keywords = ["flask", "digest-authentication"]
|
||||
classifiers = [
|
||||
"Programming Language :: Python :: 3",
|
||||
"License :: OSI Approved :: Apache Software License",
|
||||
"Operating System :: OS Independent",
|
||||
"Framework :: Flask",
|
||||
"Topic :: System :: Systems Administration :: Authentication/Directory",
|
||||
"Intended Audience :: Developers",
|
||||
]
|
||||
dependencies = [
|
||||
"Flask",
|
||||
]
|
||||
|
||||
[project.optional-dependencies]
|
||||
devel = [
|
||||
"httpx >= 0.20.0",
|
||||
]
|
||||
|
||||
[project.urls]
|
||||
"Documentation" = "https://flask-digestauth.readthedocs.io"
|
||||
"Change Log" = "https://mia-accounting.readthedocs.io/en/latest/changelog.html"
|
||||
"Repository" = "https://github.com/imacat/flask-digestauth"
|
||||
"Bug Tracker" = "https://github.com/imacat/flask-digestauth/issues"
|
||||
|
||||
[build-system]
|
||||
requires = ["setuptools>=42"]
|
||||
build-backend = "setuptools.build_meta"
|
||||
|
||||
[tool.setuptools.dynamic]
|
||||
version = {attr = "flask_digest_auth.VERSION"}
|
||||
|
||||
53
setup.cfg
53
setup.cfg
@ -1,53 +0,0 @@
|
||||
# The Flask HTTP Digest Authentication Project.
|
||||
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/23
|
||||
|
||||
# Copyright (c) 2022-2023 imacat.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
[metadata]
|
||||
name = Flask-DigestAuth
|
||||
version = 0.5.0
|
||||
author = imacat
|
||||
author_email = imacat@mail.imacat.idv.tw
|
||||
description = The Flask HTTP Digest Authentication project.
|
||||
long_description = file: README.rst
|
||||
long_description_content_type = text/x-rst
|
||||
url = https://github.com/imacat/flask-digestauth
|
||||
project_urls =
|
||||
Bug Tracker = https://github.com/imacat/flask-digestauth/issues
|
||||
classifiers =
|
||||
Programming Language :: Python :: 3
|
||||
License :: OSI Approved :: Apache Software License
|
||||
Operating System :: OS Independent
|
||||
Framework :: Flask
|
||||
Topic :: System :: Systems Administration :: Authentication/Directory
|
||||
Intended Audience :: Developers
|
||||
|
||||
[options]
|
||||
package_dir =
|
||||
= src
|
||||
packages = find:
|
||||
python_requires = >=3.7
|
||||
install_requires =
|
||||
flask
|
||||
tests_require =
|
||||
unittest
|
||||
flask-testing
|
||||
|
||||
[options.packages.find]
|
||||
where = src
|
||||
|
||||
[options.extras_require]
|
||||
flask_login =
|
||||
flask-login
|
||||
@ -1,7 +1,7 @@
|
||||
# The Flask HTTP Digest Authentication Project.
|
||||
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/6
|
||||
|
||||
# Copyright (c) 2022 imacat.
|
||||
# Copyright (c) 2022-2023 imacat.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@ -20,4 +20,6 @@
|
||||
"""
|
||||
from flask_digest_auth.algo import make_password_hash, calc_response
|
||||
from flask_digest_auth.auth import DigestAuth
|
||||
from flask_digest_auth.test import Client
|
||||
|
||||
VERSION: str = "0.7.1"
|
||||
"""The package version."""
|
||||
|
||||
@ -20,8 +20,8 @@
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
import typing as t
|
||||
from hashlib import md5
|
||||
from typing import Optional, Literal
|
||||
|
||||
|
||||
def make_password_hash(realm: str, username: str, password: str) -> str:
|
||||
@ -44,10 +44,10 @@ def make_password_hash(realm: str, username: str, password: str) -> str:
|
||||
|
||||
def calc_response(
|
||||
method: str, uri: str, password_hash: str,
|
||||
nonce: str, qop: t.Optional[t.Literal["auth", "auth-int"]] = None,
|
||||
algorithm: t.Optional[t.Literal["MD5", "MD5-sess"]] = "MD5-sess",
|
||||
cnonce: t.Optional[str] = None, nc: t.Optional[str] = None,
|
||||
body: t.Optional[bytes] = None) -> str:
|
||||
nonce: str, qop: Optional[Literal["auth", "auth-int"]] = None,
|
||||
algorithm: Optional[Literal["MD5", "MD5-sess"]] = "MD5-sess",
|
||||
cnonce: Optional[str] = None, nc: Optional[str] = None,
|
||||
body: Optional[bytes] = None) -> str:
|
||||
"""Calculates the response value of the HTTP digest authentication.
|
||||
|
||||
:param method: The request method.
|
||||
|
||||
@ -23,9 +23,9 @@ See `RFC 2617`_ HTTP Authentication: Basic and Digest Access Authentication
|
||||
from __future__ import annotations
|
||||
|
||||
import sys
|
||||
import typing as t
|
||||
from functools import wraps
|
||||
from secrets import token_urlsafe, randbits
|
||||
from typing import Any, Optional, Literal, Callable, List
|
||||
|
||||
from flask import g, request, Response, session, abort, Flask, Request, \
|
||||
current_app
|
||||
@ -38,7 +38,7 @@ from flask_digest_auth.algo import calc_response
|
||||
class DigestAuth:
|
||||
"""The HTTP digest authentication."""
|
||||
|
||||
def __init__(self, realm: t.Optional[str] = None):
|
||||
def __init__(self, realm: Optional[str] = None):
|
||||
"""Constructs the HTTP digest authentication.
|
||||
|
||||
:param realm: The realm.
|
||||
@ -48,16 +48,15 @@ class DigestAuth:
|
||||
"""The serializer to generate and validate the nonce and opaque."""
|
||||
self.realm: str = "Login Required" if realm is None else realm
|
||||
"""The realm. Default is "Login Required"."""
|
||||
self.algorithm: t.Optional[t.Literal["MD5", "MD5-sess"]] = None
|
||||
self.algorithm: Optional[Literal["MD5", "MD5-sess"]] = None
|
||||
"""The algorithm, either None, ``MD5``, or ``MD5-sess``. Default is
|
||||
None."""
|
||||
self.use_opaque: bool = True
|
||||
"""Whether to use an opaque. Default is True."""
|
||||
self.__domain: t.List[str] = []
|
||||
self.__domain: List[str] = []
|
||||
"""A list of directories that this username and password applies to.
|
||||
Default is empty."""
|
||||
self.__qop: t.List[t.Literal["auth", "auth-int"]] \
|
||||
= ["auth", "auth-int"]
|
||||
self.__qop: List[Literal["auth", "auth-int"]] = ["auth", "auth-int"]
|
||||
"""A list of supported quality of protection supported, either
|
||||
``qop``, ``auth-int``, both, or empty. Default is both."""
|
||||
self.__get_password_hash: BasePasswordHashGetter \
|
||||
@ -68,7 +67,7 @@ class DigestAuth:
|
||||
self.__on_login: BaseOnLogInCallback = BaseOnLogInCallback()
|
||||
"""The callback to run when the user logs in."""
|
||||
|
||||
def login_required(self, view) -> t.Callable:
|
||||
def login_required(self, view) -> Callable:
|
||||
"""The view decorator for the HTTP digest authentication.
|
||||
|
||||
:Example:
|
||||
@ -89,7 +88,7 @@ class DigestAuth:
|
||||
class NoLogInException(Exception):
|
||||
"""The exception thrown when the user is not authorized."""
|
||||
|
||||
def get_logged_in_user() -> t.Any:
|
||||
def get_logged_in_user() -> Any:
|
||||
"""Returns the currently logged-in user.
|
||||
|
||||
:return: The currently logged-in user.
|
||||
@ -97,13 +96,13 @@ class DigestAuth:
|
||||
"""
|
||||
if "user" not in session:
|
||||
raise NoLogInException
|
||||
user: t.Optional[t.Any] = self.__get_user(session["user"])
|
||||
user: Optional[Any] = self.__get_user(session["user"])
|
||||
if user is None:
|
||||
del session["user"]
|
||||
raise NoLogInException
|
||||
return user
|
||||
|
||||
def auth_user(state: AuthState) -> t.Any:
|
||||
def auth_user(state: AuthState) -> Any:
|
||||
"""Authenticates a user.
|
||||
|
||||
:param state: The authentication state.
|
||||
@ -121,7 +120,7 @@ class DigestAuth:
|
||||
return self.__get_user(authorization.username)
|
||||
|
||||
@wraps(view)
|
||||
def login_required_view(*args, **kwargs) -> t.Any:
|
||||
def login_required_view(*args, **kwargs) -> Any:
|
||||
"""The login-protected view.
|
||||
|
||||
:param args: The positional arguments of the view.
|
||||
@ -141,7 +140,7 @@ class DigestAuth:
|
||||
return view(*args, **kwargs)
|
||||
except UnauthorizedException as e:
|
||||
if len(e.args) > 0:
|
||||
sys.stderr.write(e.args[0] + "\n")
|
||||
current_app.logger.warning(e.args[0])
|
||||
response: Response = Response()
|
||||
response.status = 401
|
||||
response.headers["WWW-Authenticate"] \
|
||||
@ -171,7 +170,7 @@ class DigestAuth:
|
||||
except BadData:
|
||||
raise UnauthorizedException("Invalid opaque")
|
||||
state.opaque = authorization.opaque
|
||||
password_hash: t.Optional[str] \
|
||||
password_hash: Optional[str] \
|
||||
= self.__get_password_hash(authorization.username)
|
||||
if password_hash is None:
|
||||
raise UnauthorizedException(
|
||||
@ -202,7 +201,7 @@ class DigestAuth:
|
||||
:return: The ``WWW-Authenticate`` response header.
|
||||
"""
|
||||
|
||||
def get_opaque() -> t.Optional[str]:
|
||||
def get_opaque() -> Optional[str]:
|
||||
"""Returns the opaque value.
|
||||
|
||||
:return: The opaque value.
|
||||
@ -213,7 +212,7 @@ class DigestAuth:
|
||||
return state.opaque
|
||||
return self.__serializer.dumps(randbits(32), salt="opaque")
|
||||
|
||||
opaque: t.Optional[str] = get_opaque()
|
||||
opaque: Optional[str] = get_opaque()
|
||||
nonce: str = self.__serializer.dumps(
|
||||
randbits(32),
|
||||
salt="nonce" if opaque is None else f"nonce-{opaque}")
|
||||
@ -226,7 +225,7 @@ class DigestAuth:
|
||||
if opaque is not None:
|
||||
header += f", opaque=\"{opaque}\""
|
||||
if state.stale is not None:
|
||||
header += f", stale=TRUE" if state.stale else f", stale=FALSE"
|
||||
header += ", stale=TRUE" if state.stale else ", stale=FALSE"
|
||||
if self.algorithm is not None:
|
||||
header += f", algorithm=\"{self.algorithm}\""
|
||||
if len(self.__qop) > 0:
|
||||
@ -234,7 +233,7 @@ class DigestAuth:
|
||||
header += f", qop=\"{qop_list}\""
|
||||
return header
|
||||
|
||||
def register_get_password(self, func: t.Callable[[str], t.Optional[str]])\
|
||||
def register_get_password(self, func: Callable[[str], Optional[str]]) \
|
||||
-> None:
|
||||
"""The decorator to register the callback to obtain the password hash.
|
||||
|
||||
@ -256,7 +255,7 @@ class DigestAuth:
|
||||
"""The base password hash getter."""
|
||||
|
||||
@staticmethod
|
||||
def __call__(username: str) -> t.Optional[str]:
|
||||
def __call__(username: str) -> Optional[str]:
|
||||
"""Returns the password hash of a user.
|
||||
|
||||
:param username: The username.
|
||||
@ -266,8 +265,7 @@ class DigestAuth:
|
||||
|
||||
self.__get_password_hash = PasswordHashGetter()
|
||||
|
||||
def register_get_user(self, func: t.Callable[[str], t.Optional[t.Any]])\
|
||||
-> None:
|
||||
def register_get_user(self, func: Callable[[str], Optional[Any]]) -> None:
|
||||
"""The decorator to register the callback to obtain the user.
|
||||
|
||||
:Example:
|
||||
@ -287,7 +285,7 @@ class DigestAuth:
|
||||
"""The user getter."""
|
||||
|
||||
@staticmethod
|
||||
def __call__(username: str) -> t.Optional[t.Any]:
|
||||
def __call__(username: str) -> Optional[Any]:
|
||||
"""Returns a user.
|
||||
|
||||
:param username: The username.
|
||||
@ -297,7 +295,7 @@ class DigestAuth:
|
||||
|
||||
self.__get_user = UserGetter()
|
||||
|
||||
def register_on_login(self, func: t.Callable[[t.Any], None]) -> None:
|
||||
def register_on_login(self, func: Callable[[Any], None]) -> None:
|
||||
"""The decorator to register the callback to run when the user logs in.
|
||||
|
||||
:Example:
|
||||
@ -316,7 +314,7 @@ class DigestAuth:
|
||||
"""The callback when the user logs in."""
|
||||
|
||||
@staticmethod
|
||||
def __call__(user: t.Any) -> None:
|
||||
def __call__(user: Any) -> None:
|
||||
"""Runs the callback when the user logs in.
|
||||
|
||||
:param user: The logged-in user.
|
||||
@ -336,7 +334,6 @@ class DigestAuth:
|
||||
|
||||
app: flask = Flask(__name__)
|
||||
auth: DigestAuth = DigestAuth()
|
||||
auth.realm = "My Admin"
|
||||
auth.init_app(app)
|
||||
|
||||
:param app: The Flask application.
|
||||
@ -347,8 +344,15 @@ class DigestAuth:
|
||||
self.realm = app.config["DIGEST_AUTH_REALM"]
|
||||
|
||||
if hasattr(app, "login_manager"):
|
||||
from flask_login import LoginManager, login_user
|
||||
self.__init_login_manager(app)
|
||||
|
||||
def __init_login_manager(self, app: Flask) -> None:
|
||||
"""Initializes the Flask-Login login manager.
|
||||
|
||||
:param app: The Flask application.
|
||||
:return: None.
|
||||
"""
|
||||
from flask_login import LoginManager, login_user
|
||||
login_manager: LoginManager = getattr(app, "login_manager")
|
||||
|
||||
@login_manager.unauthorized_handler
|
||||
@ -367,7 +371,7 @@ class DigestAuth:
|
||||
abort(response)
|
||||
|
||||
@login_manager.request_loader
|
||||
def load_user_from_request(req: Request) -> t.Optional[t.Any]:
|
||||
def load_user_from_request(req: Request) -> Optional[Any]:
|
||||
"""Loads the user from the request header.
|
||||
|
||||
:param req: The request.
|
||||
@ -428,9 +432,9 @@ class AuthState:
|
||||
|
||||
def __init__(self):
|
||||
"""Constructs the authorization state."""
|
||||
self.opaque: t.Optional[str] = None
|
||||
self.opaque: Optional[str] = None
|
||||
"""The opaque value specified by the client, if valid."""
|
||||
self.stale: t.Optional[bool] = None
|
||||
self.stale: Optional[bool] = None
|
||||
"""The stale value, if there is a previous log in attempt."""
|
||||
|
||||
|
||||
@ -447,7 +451,7 @@ class BasePasswordHashGetter:
|
||||
"""
|
||||
|
||||
@staticmethod
|
||||
def __call__(username: str) -> t.Optional[str]:
|
||||
def __call__(username: str) -> Optional[str]:
|
||||
"""Returns the password hash of a user.
|
||||
|
||||
:param username: The username.
|
||||
@ -468,7 +472,7 @@ class BaseUserGetter:
|
||||
"""
|
||||
|
||||
@staticmethod
|
||||
def __call__(username: str) -> t.Optional[t.Any]:
|
||||
def __call__(username: str) -> Optional[Any]:
|
||||
"""Returns a user.
|
||||
|
||||
:param username: The username.
|
||||
@ -488,7 +492,7 @@ class BaseOnLogInCallback:
|
||||
"""
|
||||
|
||||
@staticmethod
|
||||
def __call__(user: t.Any) -> None:
|
||||
def __call__(user: Any) -> None:
|
||||
"""Runs the callback when the user logs in.
|
||||
|
||||
:param user: The logged-in user.
|
||||
|
||||
@ -1,154 +0,0 @@
|
||||
# The Flask HTTP Digest Authentication Project.
|
||||
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/3
|
||||
|
||||
# Copyright (c) 2022 imacat.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
"""The test client with HTTP digest authentication enabled.
|
||||
|
||||
"""
|
||||
import typing as t
|
||||
from secrets import token_urlsafe
|
||||
|
||||
from flask import g
|
||||
from werkzeug.datastructures import Authorization, WWWAuthenticate
|
||||
from werkzeug.test import TestResponse, Client as WerkzeugClient
|
||||
|
||||
from flask_digest_auth.algo import calc_response, make_password_hash
|
||||
|
||||
|
||||
class Client(WerkzeugClient):
|
||||
"""The test client with HTTP digest authentication enabled.
|
||||
|
||||
:Example:
|
||||
|
||||
For unittest_:
|
||||
|
||||
::
|
||||
|
||||
class MyTestCase(flask_testing.TestCase):
|
||||
|
||||
def create_app(self):
|
||||
app: Flask = create_app({
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"TESTING": True
|
||||
})
|
||||
app.test_client_class = Client
|
||||
return app
|
||||
|
||||
def test_admin(self):
|
||||
response = self.client.get("/admin")
|
||||
self.assertEqual(response.status_code, 401)
|
||||
response = self.client.get(
|
||||
"/admin", digest_auth=(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
For pytest_:
|
||||
|
||||
::
|
||||
|
||||
@pytest.fixture()
|
||||
def app():
|
||||
app: Flask = create_app({
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"TESTING": True
|
||||
})
|
||||
app.test_client_class = Client
|
||||
yield app
|
||||
|
||||
@pytest.fixture()
|
||||
def client(app):
|
||||
return app.test_client()
|
||||
|
||||
def test_admin(app: Flask, client: Client):
|
||||
with app.app_context():
|
||||
response = client.get("/admin")
|
||||
assert response.status_code == 401
|
||||
response = client.get(
|
||||
"/admin", digest_auth=(USERNAME, PASSWORD))
|
||||
assert response.status_code == 200
|
||||
|
||||
.. _unittest: https://docs.python.org/3/library/unittest.html
|
||||
.. _pytest: https://pytest.org
|
||||
"""
|
||||
|
||||
def open(self, *args, digest_auth: t.Optional[t.Tuple[str, str]] = None,
|
||||
**kwargs) -> TestResponse:
|
||||
"""Opens a request.
|
||||
|
||||
:param args: The arguments.
|
||||
:param digest_auth: The (*username*, *password*) tuple for the HTTP
|
||||
digest authentication.
|
||||
:param kwargs: The keyword arguments.
|
||||
:return: The response.
|
||||
"""
|
||||
response: TestResponse = super(Client, self).open(*args, **kwargs)
|
||||
www_authenticate: WWWAuthenticate = response.www_authenticate
|
||||
if not (response.status_code == 401
|
||||
and www_authenticate.type == "digest"
|
||||
and digest_auth is not None):
|
||||
return response
|
||||
if hasattr(g, "_login_user"):
|
||||
delattr(g, "_login_user")
|
||||
auth_data: Authorization = self.__class__.make_authorization(
|
||||
www_authenticate, args[0], digest_auth[0], digest_auth[1])
|
||||
response = super(Client, self).open(*args, auth=auth_data, **kwargs)
|
||||
return response
|
||||
|
||||
@staticmethod
|
||||
def make_authorization(www_authenticate: WWWAuthenticate, uri: str,
|
||||
username: str, password: str) -> Authorization:
|
||||
"""Composes and returns the request authorization.
|
||||
|
||||
:param www_authenticate: The ``WWW-Authenticate`` response.
|
||||
:param uri: The request URI.
|
||||
:param username: The username.
|
||||
:param password: The password.
|
||||
:return: The request authorization.
|
||||
"""
|
||||
qop: t.Optional[t.Literal["auth", "auth-int"]] = None
|
||||
if www_authenticate.qop is not None and "auth" in www_authenticate.qop:
|
||||
qop = "auth"
|
||||
|
||||
cnonce: t.Optional[str] = None
|
||||
if qop is not None or www_authenticate.algorithm == "MD5-sess":
|
||||
cnonce = token_urlsafe(8)
|
||||
nc: t.Optional[str] = None
|
||||
count: int = 1
|
||||
if qop is not None:
|
||||
nc: str = hex(count)[2:].zfill(8)
|
||||
|
||||
expected: str = calc_response(
|
||||
method="GET", uri=uri,
|
||||
password_hash=make_password_hash(www_authenticate.realm,
|
||||
username, password),
|
||||
nonce=www_authenticate.nonce, qop=qop,
|
||||
algorithm=www_authenticate.algorithm, cnonce=cnonce, nc=nc,
|
||||
body=None)
|
||||
|
||||
data: t.Dict[str, str] = {
|
||||
"username": username, "realm": www_authenticate.realm,
|
||||
"nonce": www_authenticate.nonce, "uri": uri, "response": expected}
|
||||
if www_authenticate.algorithm is not None:
|
||||
data["algorithm"] = www_authenticate.algorithm
|
||||
if cnonce is not None:
|
||||
data["cnonce"] = cnonce
|
||||
if www_authenticate.opaque is not None:
|
||||
data["opaque"] = www_authenticate.opaque
|
||||
if qop is not None:
|
||||
data["qop"] = qop
|
||||
if nc is not None:
|
||||
data["nc"] = nc
|
||||
|
||||
return Authorization("digest", data=data)
|
||||
@ -18,8 +18,8 @@
|
||||
"""The test case for the HTTP digest authentication algorithm.
|
||||
|
||||
"""
|
||||
import typing as t
|
||||
import unittest
|
||||
from typing import Optional, Literal
|
||||
|
||||
from flask_digest_auth import make_password_hash, calc_response
|
||||
|
||||
@ -39,11 +39,11 @@ class AlgorithmTestCase(unittest.TestCase):
|
||||
method: str = "GET"
|
||||
uri: str = "/dir/index.html"
|
||||
nonce: str = "dcd98b7102dd2f0e8b11d0f600bfb0c093"
|
||||
qop: t.Optional[t.Literal["auth", "auth-int"]] = "auth"
|
||||
algorithm: t.Optional[t.Literal["MD5", "MD5-sess"]] = None
|
||||
cnonce: t.Optional[str] = "0a4f113b"
|
||||
nc: t.Optional[str] = "00000001"
|
||||
body: t.Optional[bytes] = None
|
||||
qop: Optional[Literal["auth", "auth-int"]] = "auth"
|
||||
algorithm: Optional[Literal["MD5", "MD5-sess"]] = None
|
||||
cnonce: Optional[str] = "0a4f113b"
|
||||
nc: Optional[str] = "00000001"
|
||||
body: Optional[bytes] = None
|
||||
|
||||
password_hash: str = make_password_hash(realm, username, password)
|
||||
response: str = calc_response(method, uri, password_hash, nonce, qop,
|
||||
|
||||
@ -18,18 +18,18 @@
|
||||
"""The test case for the HTTP digest authentication.
|
||||
|
||||
"""
|
||||
import typing as t
|
||||
import logging
|
||||
import unittest
|
||||
from secrets import token_urlsafe
|
||||
from typing import Any, Optional, Dict
|
||||
|
||||
from flask import Response, Flask, g, redirect, request
|
||||
from flask_testing import TestCase
|
||||
from werkzeug.datastructures import WWWAuthenticate, Authorization
|
||||
import httpx
|
||||
from flask import Flask, g, redirect, request
|
||||
from werkzeug.datastructures import WWWAuthenticate
|
||||
|
||||
from flask_digest_auth import DigestAuth, make_password_hash, Client
|
||||
|
||||
_REALM: str = "testrealm@host.com"
|
||||
_USERNAME: str = "Mufasa"
|
||||
_PASSWORD: str = "Circle Of Life"
|
||||
from flask_digest_auth import DigestAuth, make_password_hash
|
||||
from testlib import REALM, USERNAME, PASSWORD, ADMIN_1_URI, ADMIN_2_URI, \
|
||||
LOGOUT_URI, make_authorization
|
||||
|
||||
|
||||
class User:
|
||||
@ -42,34 +42,42 @@ class User:
|
||||
:param password: The clear-text password.
|
||||
"""
|
||||
self.username: str = username
|
||||
self.password_hash: str = make_password_hash(
|
||||
_REALM, username, password)
|
||||
"""The username."""
|
||||
self.password_hash: str = make_password_hash(REALM, username, password)
|
||||
"""The password hash."""
|
||||
self.visits: int = 0
|
||||
"""The number of visits."""
|
||||
|
||||
|
||||
class AuthenticationTestCase(TestCase):
|
||||
class AuthenticationTestCase(unittest.TestCase):
|
||||
"""The test case for the HTTP digest authentication."""
|
||||
|
||||
def create_app(self):
|
||||
"""Creates the Flask application.
|
||||
def setUp(self) -> None:
|
||||
"""Sets up the test.
|
||||
This is run once per test.
|
||||
|
||||
:return: The Flask application.
|
||||
:return: None.
|
||||
"""
|
||||
logging.getLogger("test_auth").addHandler(logging.NullHandler())
|
||||
app: Flask = Flask(__name__)
|
||||
app.config.from_mapping({
|
||||
"TESTING": True,
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"DIGEST_AUTH_REALM": _REALM,
|
||||
"DIGEST_AUTH_REALM": REALM,
|
||||
})
|
||||
app.test_client_class = Client
|
||||
self.__client: httpx.Client = httpx.Client(
|
||||
transport=httpx.WSGITransport(app=app),
|
||||
base_url="https://testserver")
|
||||
"""The testing client."""
|
||||
|
||||
auth: DigestAuth = DigestAuth()
|
||||
auth.init_app(app)
|
||||
self.user: User = User(_USERNAME, _PASSWORD)
|
||||
user_db: t.Dict[str, User] = {_USERNAME: self.user}
|
||||
self.__user: User = User(USERNAME, PASSWORD)
|
||||
"""The user account."""
|
||||
user_db: Dict[str, User] = {USERNAME: self.__user}
|
||||
|
||||
@auth.register_get_password
|
||||
def get_password_hash(username: str) -> t.Optional[str]:
|
||||
def get_password_hash(username: str) -> Optional[str]:
|
||||
"""Returns the password hash of a user.
|
||||
|
||||
:param username: The username.
|
||||
@ -79,7 +87,7 @@ class AuthenticationTestCase(TestCase):
|
||||
else None
|
||||
|
||||
@auth.register_get_user
|
||||
def get_user(username: str) -> t.Optional[t.Any]:
|
||||
def get_user(username: str) -> Optional[Any]:
|
||||
"""Returns a user.
|
||||
|
||||
:param username: The username.
|
||||
@ -96,7 +104,7 @@ class AuthenticationTestCase(TestCase):
|
||||
"""
|
||||
user.visits = user.visits + 1
|
||||
|
||||
@app.get("/admin-1/auth", endpoint="admin-1")
|
||||
@app.get(ADMIN_1_URI, endpoint="admin-1")
|
||||
@auth.login_required
|
||||
def admin_1() -> str:
|
||||
"""The first administration section.
|
||||
@ -105,7 +113,7 @@ class AuthenticationTestCase(TestCase):
|
||||
"""
|
||||
return f"Hello, {g.user.username}! #1"
|
||||
|
||||
@app.get("/admin-2/auth", endpoint="admin-2")
|
||||
@app.get(ADMIN_2_URI, endpoint="admin-2")
|
||||
@auth.login_required
|
||||
def admin_2() -> str:
|
||||
"""The second administration section.
|
||||
@ -114,7 +122,7 @@ class AuthenticationTestCase(TestCase):
|
||||
"""
|
||||
return f"Hello, {g.user.username}! #2"
|
||||
|
||||
@app.post("/logout", endpoint="logout")
|
||||
@app.post(LOGOUT_URI, endpoint="logout")
|
||||
@auth.login_required
|
||||
def logout() -> redirect:
|
||||
"""Logs out the user.
|
||||
@ -124,63 +132,65 @@ class AuthenticationTestCase(TestCase):
|
||||
auth.logout()
|
||||
return redirect(request.form.get("next"))
|
||||
|
||||
return app
|
||||
|
||||
def test_auth(self) -> None:
|
||||
"""Tests the authentication.
|
||||
|
||||
:return: None.
|
||||
"""
|
||||
response: Response = self.client.get(self.app.url_for("admin-1"))
|
||||
response: httpx.Response
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
response = self.client.get(
|
||||
self.app.url_for("admin-1"), digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(response.data.decode("UTF-8"),
|
||||
f"Hello, {_USERNAME}! #1")
|
||||
response: Response = self.client.get(self.app.url_for("admin-2"))
|
||||
self.assertEqual(response.text, f"Hello, {USERNAME}! #1")
|
||||
response = self.__client.get(ADMIN_2_URI)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(response.data.decode("UTF-8"),
|
||||
f"Hello, {_USERNAME}! #2")
|
||||
self.assertEqual(self.user.visits, 1)
|
||||
self.assertEqual(response.text, f"Hello, {USERNAME}! #2")
|
||||
self.assertEqual(self.__user.visits, 1)
|
||||
|
||||
def test_stale_opaque(self) -> None:
|
||||
"""Tests the stale and opaque value.
|
||||
|
||||
:return: None.
|
||||
"""
|
||||
admin_uri: str = self.app.url_for("admin-1")
|
||||
response: Response
|
||||
response: httpx.Response
|
||||
www_authenticate: WWWAuthenticate
|
||||
auth_data: Authorization
|
||||
auth_header: str
|
||||
|
||||
response = super(Client, self.client).get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
www_authenticate = response.www_authenticate
|
||||
www_authenticate = WWWAuthenticate.from_header(
|
||||
response.headers["WWW-Authenticate"])
|
||||
self.assertEqual(www_authenticate.type, "digest")
|
||||
self.assertEqual(www_authenticate.stale, None)
|
||||
self.assertIsNone(www_authenticate.get("stale"))
|
||||
opaque: str = www_authenticate.opaque
|
||||
|
||||
www_authenticate.nonce = "bad"
|
||||
auth_data = Client.make_authorization(
|
||||
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
|
||||
response = super(Client, self.client).get(admin_uri, auth=auth_data)
|
||||
auth_header = make_authorization(
|
||||
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
headers={"Authorization": auth_header})
|
||||
self.assertEqual(response.status_code, 401)
|
||||
www_authenticate = response.www_authenticate
|
||||
self.assertEqual(www_authenticate.stale, True)
|
||||
www_authenticate = WWWAuthenticate.from_header(
|
||||
response.headers["WWW-Authenticate"])
|
||||
self.assertEqual(www_authenticate.get("stale"), "TRUE")
|
||||
self.assertEqual(www_authenticate.opaque, opaque)
|
||||
|
||||
auth_data = Client.make_authorization(
|
||||
www_authenticate, admin_uri, _USERNAME, _PASSWORD + "2")
|
||||
response = super(Client, self.client).get(admin_uri, auth=auth_data)
|
||||
auth_header = make_authorization(
|
||||
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD + "2")
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
headers={"Authorization": auth_header})
|
||||
self.assertEqual(response.status_code, 401)
|
||||
www_authenticate = response.www_authenticate
|
||||
self.assertEqual(www_authenticate.stale, False)
|
||||
www_authenticate = WWWAuthenticate.from_header(
|
||||
response.headers["WWW-Authenticate"])
|
||||
self.assertEqual(www_authenticate.get("stale"), "FALSE")
|
||||
self.assertEqual(www_authenticate.opaque, opaque)
|
||||
|
||||
auth_data = Client.make_authorization(
|
||||
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
|
||||
response = super(Client, self.client).get(admin_uri, auth=auth_data)
|
||||
auth_header = make_authorization(
|
||||
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
headers={"Authorization": auth_header})
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
def test_logout(self) -> None:
|
||||
@ -188,35 +198,34 @@ class AuthenticationTestCase(TestCase):
|
||||
|
||||
:return: None.
|
||||
"""
|
||||
admin_uri: str = self.app.url_for("admin-1")
|
||||
logout_uri: str = self.app.url_for("logout")
|
||||
response: Response
|
||||
logout_uri: str = LOGOUT_URI
|
||||
response: httpx.Response
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
response = self.client.get(admin_uri,
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
response = self.client.post(logout_uri, data={"next": admin_uri})
|
||||
response = self.__client.post(logout_uri, data={"next": ADMIN_1_URI})
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response.location, admin_uri)
|
||||
self.assertEqual(response.headers["Location"], ADMIN_1_URI)
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
response = self.client.get(admin_uri,
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
response = self.client.get(admin_uri,
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(self.user.visits, 2)
|
||||
self.assertEqual(self.__user.visits, 2)
|
||||
|
||||
@ -18,18 +18,21 @@
|
||||
"""The test case for the Flask-Login integration.
|
||||
|
||||
"""
|
||||
import typing as t
|
||||
import logging
|
||||
import unittest
|
||||
from secrets import token_urlsafe
|
||||
from typing import Optional, Dict
|
||||
|
||||
from flask import Response, Flask, g, redirect, request
|
||||
from flask_testing import TestCase
|
||||
from werkzeug.datastructures import WWWAuthenticate, Authorization
|
||||
import httpx
|
||||
from flask import Flask, g, redirect, request
|
||||
from werkzeug.datastructures import WWWAuthenticate
|
||||
|
||||
from flask_digest_auth import DigestAuth, make_password_hash, Client
|
||||
from flask_digest_auth import DigestAuth, make_password_hash
|
||||
from testlib import REALM, USERNAME, PASSWORD, ADMIN_1_URI, ADMIN_2_URI, \
|
||||
LOGOUT_URI, make_authorization
|
||||
|
||||
_REALM: str = "testrealm@host.com"
|
||||
_USERNAME: str = "Mufasa"
|
||||
_PASSWORD: str = "Circle Of Life"
|
||||
SKIPPED_NO_FLASK_LOGIN: str = "Skipped without Flask-Login."
|
||||
"""The message that a test is skipped when Flask-Login is not installed."""
|
||||
|
||||
|
||||
class User:
|
||||
@ -42,11 +45,15 @@ class User:
|
||||
:param password: The clear-text password.
|
||||
"""
|
||||
self.username: str = username
|
||||
self.password_hash: str = make_password_hash(
|
||||
_REALM, username, password)
|
||||
"""The username."""
|
||||
self.password_hash: str = make_password_hash(REALM, username, password)
|
||||
"""The password hash."""
|
||||
self.visits: int = 0
|
||||
"""The number of visits."""
|
||||
self.is_active: bool = True
|
||||
"""True if the account is active, or False otherwise."""
|
||||
self.is_anonymous: bool = False
|
||||
"""True if the account is anonymous, or False otherwise."""
|
||||
|
||||
def get_id(self) -> str:
|
||||
"""Returns the username.
|
||||
@ -67,40 +74,50 @@ class User:
|
||||
return self.is_active
|
||||
|
||||
|
||||
class FlaskLoginTestCase(TestCase):
|
||||
class FlaskLoginTestCase(unittest.TestCase):
|
||||
"""The test case with the Flask-Login integration."""
|
||||
|
||||
def create_app(self) -> Flask:
|
||||
"""Creates the Flask application.
|
||||
def setUp(self) -> None:
|
||||
"""Sets up the test.
|
||||
This is run once per test.
|
||||
|
||||
:return: The Flask application.
|
||||
:return: None.
|
||||
"""
|
||||
app: Flask = Flask(__name__)
|
||||
app.config.from_mapping({
|
||||
logging.getLogger("test_flask_login").addHandler(logging.NullHandler())
|
||||
self.app: Flask = Flask(__name__)
|
||||
self.app.config.from_mapping({
|
||||
"TESTING": True,
|
||||
"SECRET_KEY": token_urlsafe(32),
|
||||
"DIGEST_AUTH_REALM": _REALM,
|
||||
"DIGEST_AUTH_REALM": REALM,
|
||||
})
|
||||
app.test_client_class = Client
|
||||
self.__client: httpx.Client = httpx.Client(
|
||||
transport=httpx.WSGITransport(app=self.app),
|
||||
base_url="https://testserver")
|
||||
"""The testing client."""
|
||||
|
||||
self.has_flask_login: bool = True
|
||||
self.__has_flask_login: bool = True
|
||||
"""Whether the Flask-Login package is installed."""
|
||||
try:
|
||||
import flask_login
|
||||
except ModuleNotFoundError:
|
||||
self.has_flask_login = False
|
||||
return app
|
||||
self.__has_flask_login = False
|
||||
return
|
||||
except ImportError:
|
||||
self.__has_flask_login = False
|
||||
return
|
||||
|
||||
login_manager: flask_login.LoginManager = flask_login.LoginManager()
|
||||
login_manager.init_app(app)
|
||||
login_manager.init_app(self.app)
|
||||
|
||||
auth: DigestAuth = DigestAuth()
|
||||
auth.init_app(app)
|
||||
auth.init_app(self.app)
|
||||
|
||||
self.user: User = User(_USERNAME, _PASSWORD)
|
||||
user_db: t.Dict[str, User] = {_USERNAME: self.user}
|
||||
self.__user: User = User(USERNAME, PASSWORD)
|
||||
"""The user account."""
|
||||
user_db: Dict[str, User] = {USERNAME: self.__user}
|
||||
|
||||
@auth.register_get_password
|
||||
def get_password_hash(username: str) -> t.Optional[str]:
|
||||
def get_password_hash(username: str) -> Optional[str]:
|
||||
"""Returns the password hash of a user.
|
||||
|
||||
:param username: The username.
|
||||
@ -119,7 +136,7 @@ class FlaskLoginTestCase(TestCase):
|
||||
user.visits = user.visits + 1
|
||||
|
||||
@login_manager.user_loader
|
||||
def load_user(user_id: str) -> t.Optional[User]:
|
||||
def load_user(user_id: str) -> Optional[User]:
|
||||
"""Loads a user.
|
||||
|
||||
:param user_id: The username.
|
||||
@ -127,7 +144,7 @@ class FlaskLoginTestCase(TestCase):
|
||||
"""
|
||||
return user_db[user_id] if user_id in user_db else None
|
||||
|
||||
@app.get("/admin-1/auth", endpoint="admin-1")
|
||||
@self.app.get(ADMIN_1_URI)
|
||||
@flask_login.login_required
|
||||
def admin_1() -> str:
|
||||
"""The first administration section.
|
||||
@ -136,7 +153,7 @@ class FlaskLoginTestCase(TestCase):
|
||||
"""
|
||||
return f"Hello, {flask_login.current_user.get_id()}! #1"
|
||||
|
||||
@app.get("/admin-2/auth", endpoint="admin-2")
|
||||
@self.app.get(ADMIN_2_URI)
|
||||
@flask_login.login_required
|
||||
def admin_2() -> str:
|
||||
"""The second administration section.
|
||||
@ -145,7 +162,7 @@ class FlaskLoginTestCase(TestCase):
|
||||
"""
|
||||
return f"Hello, {flask_login.current_user.get_id()}! #2"
|
||||
|
||||
@app.post("/logout", endpoint="logout")
|
||||
@self.app.post(LOGOUT_URI)
|
||||
@flask_login.login_required
|
||||
def logout() -> redirect:
|
||||
"""Logs out the user.
|
||||
@ -155,75 +172,81 @@ class FlaskLoginTestCase(TestCase):
|
||||
auth.logout()
|
||||
return redirect(request.form.get("next"))
|
||||
|
||||
return app
|
||||
|
||||
def test_auth(self) -> None:
|
||||
"""Tests the authentication.
|
||||
|
||||
:return: None.
|
||||
"""
|
||||
if not self.has_flask_login:
|
||||
self.skipTest("Skipped without Flask-Login.")
|
||||
if not self.__has_flask_login:
|
||||
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
|
||||
|
||||
response: Response = self.client.get(self.app.url_for("admin-1"))
|
||||
response: httpx.Response
|
||||
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
response = self.client.get(
|
||||
self.app.url_for("admin-1"), digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(response.data.decode("UTF-8"),
|
||||
f"Hello, {_USERNAME}! #1")
|
||||
response: Response = self.client.get(self.app.url_for("admin-2"))
|
||||
self.assertEqual(response.text, f"Hello, {USERNAME}! #1")
|
||||
response = self.__client.get(ADMIN_2_URI)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(response.data.decode("UTF-8"),
|
||||
f"Hello, {_USERNAME}! #2")
|
||||
self.assertEqual(self.user.visits, 1)
|
||||
self.assertEqual(response.text, f"Hello, {USERNAME}! #2")
|
||||
self.assertEqual(self.__user.visits, 1)
|
||||
|
||||
def test_stale_opaque(self) -> None:
|
||||
"""Tests the stale and opaque value.
|
||||
|
||||
:return: None.
|
||||
"""
|
||||
if not self.has_flask_login:
|
||||
self.skipTest("Skipped without Flask-Login.")
|
||||
if not self.__has_flask_login:
|
||||
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
|
||||
|
||||
admin_uri: str = self.app.url_for("admin-1")
|
||||
response: Response
|
||||
response: httpx.Response
|
||||
www_authenticate: WWWAuthenticate
|
||||
auth_data: Authorization
|
||||
auth_header: str
|
||||
|
||||
response = super(Client, self.client).get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
www_authenticate = response.www_authenticate
|
||||
www_authenticate = WWWAuthenticate.from_header(
|
||||
response.headers["WWW-Authenticate"])
|
||||
self.assertEqual(www_authenticate.type, "digest")
|
||||
self.assertEqual(www_authenticate.stale, None)
|
||||
self.assertIsNone(www_authenticate.get("stale"))
|
||||
opaque: str = www_authenticate.opaque
|
||||
|
||||
with self.app.app_context():
|
||||
if hasattr(g, "_login_user"):
|
||||
delattr(g, "_login_user")
|
||||
www_authenticate.nonce = "bad"
|
||||
auth_data = Client.make_authorization(
|
||||
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
|
||||
response = super(Client, self.client).get(admin_uri, auth=auth_data)
|
||||
auth_header = make_authorization(
|
||||
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
headers={"Authorization": auth_header})
|
||||
self.assertEqual(response.status_code, 401)
|
||||
www_authenticate = response.www_authenticate
|
||||
self.assertEqual(www_authenticate.stale, True)
|
||||
www_authenticate = WWWAuthenticate.from_header(
|
||||
response.headers["WWW-Authenticate"])
|
||||
self.assertEqual(www_authenticate.get("stale"), "TRUE")
|
||||
self.assertEqual(www_authenticate.opaque, opaque)
|
||||
|
||||
with self.app.app_context():
|
||||
if hasattr(g, "_login_user"):
|
||||
delattr(g, "_login_user")
|
||||
auth_data = Client.make_authorization(
|
||||
www_authenticate, admin_uri, _USERNAME, _PASSWORD + "2")
|
||||
response = super(Client, self.client).get(admin_uri, auth=auth_data)
|
||||
auth_header = make_authorization(
|
||||
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD + "2")
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
headers={"Authorization": auth_header})
|
||||
self.assertEqual(response.status_code, 401)
|
||||
www_authenticate = response.www_authenticate
|
||||
self.assertEqual(www_authenticate.stale, False)
|
||||
www_authenticate = WWWAuthenticate.from_header(
|
||||
response.headers["WWW-Authenticate"])
|
||||
self.assertEqual(www_authenticate.get("stale"), "FALSE")
|
||||
self.assertEqual(www_authenticate.opaque, opaque)
|
||||
|
||||
with self.app.app_context():
|
||||
if hasattr(g, "_login_user"):
|
||||
delattr(g, "_login_user")
|
||||
auth_data = Client.make_authorization(
|
||||
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
|
||||
response = super(Client, self.client).get(admin_uri, auth=auth_data)
|
||||
auth_header = make_authorization(
|
||||
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
headers={"Authorization": auth_header})
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
def test_logout(self) -> None:
|
||||
@ -231,69 +254,67 @@ class FlaskLoginTestCase(TestCase):
|
||||
|
||||
:return: None.
|
||||
"""
|
||||
if not self.has_flask_login:
|
||||
self.skipTest("Skipped without Flask-Login.")
|
||||
if not self.__has_flask_login:
|
||||
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
|
||||
|
||||
admin_uri: str = self.app.url_for("admin-1")
|
||||
logout_uri: str = self.app.url_for("logout")
|
||||
response: Response
|
||||
response: httpx.Response
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
response = self.client.get(admin_uri,
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
response = self.client.post(logout_uri, data={"next": admin_uri})
|
||||
response = self.__client.post(LOGOUT_URI, data={"next": ADMIN_1_URI})
|
||||
self.assertEqual(response.status_code, 302)
|
||||
self.assertEqual(response.location, admin_uri)
|
||||
self.assertEqual(response.headers["Location"], ADMIN_1_URI)
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
response = self.client.get(admin_uri,
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
response = self.client.get(admin_uri,
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
response = self.client.get(admin_uri)
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(self.user.visits, 2)
|
||||
self.assertEqual(self.__user.visits, 2)
|
||||
|
||||
def test_disabled(self) -> None:
|
||||
"""Tests the disabled user.
|
||||
|
||||
:return: None.
|
||||
"""
|
||||
if not self.has_flask_login:
|
||||
self.skipTest("Skipped without Flask-Login.")
|
||||
if not self.__has_flask_login:
|
||||
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
|
||||
|
||||
response: Response
|
||||
response: httpx.Response
|
||||
|
||||
self.user.is_active = False
|
||||
response = self.client.get(self.app.url_for("admin-1"))
|
||||
self.__user.is_active = False
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
response = self.client.get(self.app.url_for("admin-1"),
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
self.user.is_active = True
|
||||
response = self.client.get(self.app.url_for("admin-1"),
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
self.__user.is_active = True
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 200)
|
||||
response = self.client.get(self.app.url_for("admin-1"))
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
self.user.is_active = False
|
||||
response = self.client.get(self.app.url_for("admin-1"))
|
||||
self.__user.is_active = False
|
||||
response = self.__client.get(ADMIN_1_URI)
|
||||
self.assertEqual(response.status_code, 401)
|
||||
response = self.client.get(self.app.url_for("admin-1"),
|
||||
digest_auth=(_USERNAME, _PASSWORD))
|
||||
response = self.__client.get(ADMIN_1_URI,
|
||||
auth=httpx.DigestAuth(USERNAME, PASSWORD))
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
87
tests/testlib.py
Normal file
87
tests/testlib.py
Normal file
@ -0,0 +1,87 @@
|
||||
# The Flask HTTP Digest Authentication Project.
|
||||
# Author: imacat@mail.imacat.idv.tw (imacat), 2023/10/5
|
||||
|
||||
# Copyright (c) 2023 imacat.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
"""The common test libraries.
|
||||
|
||||
"""
|
||||
from secrets import token_urlsafe
|
||||
from typing import Optional, Literal, Dict
|
||||
|
||||
from werkzeug.datastructures import Authorization, WWWAuthenticate
|
||||
from werkzeug.http import parse_set_header
|
||||
|
||||
from flask_digest_auth import calc_response, make_password_hash
|
||||
|
||||
REALM: str = "testrealm@host.com"
|
||||
"""The realm."""
|
||||
USERNAME: str = "Mufasa"
|
||||
"""The username."""
|
||||
PASSWORD: str = "Circle Of Life"
|
||||
"""The password."""
|
||||
ADMIN_1_URI: str = "/admin-1/auth"
|
||||
"""The first administration URI."""
|
||||
ADMIN_2_URI: str = "/admin-2/auth"
|
||||
"""The first administration URI."""
|
||||
LOGOUT_URI: str = "/logout"
|
||||
"""The log out URI."""
|
||||
|
||||
|
||||
def make_authorization(www_authenticate: WWWAuthenticate, uri: str,
|
||||
username: str, password: str) -> str:
|
||||
"""Composes and returns the request authorization.
|
||||
|
||||
:param www_authenticate: The ``WWW-Authenticate`` response.
|
||||
:param uri: The request URI.
|
||||
:param username: The username.
|
||||
:param password: The password.
|
||||
:return: The request authorization header.
|
||||
"""
|
||||
qop: Optional[Literal["auth", "auth-int"]] = None
|
||||
if "auth" in parse_set_header(www_authenticate.get("qop")):
|
||||
qop = "auth"
|
||||
|
||||
cnonce: Optional[str] = None
|
||||
if qop is not None or www_authenticate.algorithm == "MD5-sess":
|
||||
cnonce = token_urlsafe(8)
|
||||
nc: Optional[str] = None
|
||||
count: int = 1
|
||||
if qop is not None:
|
||||
nc: str = hex(count)[2:].zfill(8)
|
||||
|
||||
expected: str = calc_response(
|
||||
method="GET", uri=uri,
|
||||
password_hash=make_password_hash(www_authenticate.realm,
|
||||
username, password),
|
||||
nonce=www_authenticate.nonce, qop=qop,
|
||||
algorithm=www_authenticate.algorithm, cnonce=cnonce, nc=nc,
|
||||
body=None)
|
||||
|
||||
data: Dict[str, str] = {
|
||||
"username": username, "realm": www_authenticate.realm,
|
||||
"nonce": www_authenticate.nonce, "uri": uri, "response": expected}
|
||||
if www_authenticate.algorithm is not None:
|
||||
data["algorithm"] = www_authenticate.algorithm
|
||||
if cnonce is not None:
|
||||
data["cnonce"] = cnonce
|
||||
if www_authenticate.opaque is not None:
|
||||
data["opaque"] = www_authenticate.opaque
|
||||
if qop is not None:
|
||||
data["qop"] = qop
|
||||
if nc is not None:
|
||||
data["nc"] = nc
|
||||
|
||||
return str(Authorization("digest", data=data))
|
||||
Reference in New Issue
Block a user