imacat/flask-digestauth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 15 Wiki Activity

Compare commits

base: imacat:v0.6.0
Branches Tags
imacat:main
imacat:v0.7.0
imacat:v0.6.2
imacat:v0.6.1
imacat:v0.6.0
imacat:v0.5.0
imacat:v0.4.0
imacat:v0.3.1
imacat:v0.3.0
imacat:v0.2.4
imacat:v0.2.3
imacat:v0.2.2
imacat:v0.2.1
imacat:v0.2.0
imacat:v0.1.1
imacat:v0.1.0
...
compare: imacat:main
Branches Tags
imacat:main
imacat:v0.7.0
imacat:v0.6.2
imacat:v0.6.1
imacat:v0.6.0
imacat:v0.5.0
imacat:v0.4.0
imacat:v0.3.1
imacat:v0.3.0
imacat:v0.2.4
imacat:v0.2.3
imacat:v0.2.2
imacat:v0.2.1
imacat:v0.2.0
imacat:v0.1.1
imacat:v0.1.0

19 Commits
v0.6.0 ... main

Author SHA1 Message Date
依瑪貓
9da7cec1f5 Updated optional dependencies in pyproject.toml. 2024-06-02 09:25:12 +08:00
依瑪貓
2d0a8dbcd8 Updated the dependencies in pyproject.toml. 2024-06-02 09:04:34 +08:00
依瑪貓
a3bc807192 Removed the test client from thd Sphinx documentation. 2023-10-08 23:35:20 +08:00
依瑪貓
848971709a Advanced to version 0.7.0. 2023-10-08 22:46:59 +08:00
依瑪貓
409b04af47 Added docs/requirements.txt and the "sphinx_rtd_theme" theme to the readthedocs configuration, as Read the Docs does not install sphinx_rtd_theme by default after August 7, 2023. 2023-10-08 22:46:33 +08:00
依瑪貓
a8c34eb367 Updated the Sphinx documentation. 2023-10-08 22:15:44 +08:00
依瑪貓
cc96987a18 Revised the FlaskLoginTestCase test case to skip testing when Flask-Login 0.6.2 conflicts with Werkzeug 3. 2023-10-08 22:11:50 +08:00
依瑪貓
1f657568bb Replaced the "Flask-Testing" package with the "httpx" package for testing, and retired the unused "flask_digest_auth.test" module. "Flask-Testing" is not maintained for more than 3 years, and is not compatible with Flask 3. 2023-10-08 22:06:20 +08:00
依瑪貓
320cfe1700 Added the SKIPPED_NO_FLASK_LOGIN constant to test_flask_login.py, to simplify the code. 2023-06-10 16:45:19 +08:00
依瑪貓
a5188c9aa1 Advanced to version 0.6.2. 2023-06-10 16:26:39 +08:00
imacat
b62b98bd51 Changed the properties of the test cases from public to private. 2023-06-08 17:28:35 +08:00
imacat
877f02fe82 Added missing documentation to the global variables and class and object properties. 2023-06-08 17:20:24 +08:00
依瑪貓
bc888195ad Disabled logging in the AuthenticationTestCase and FlaskLoginTestCase test cases, for clearer test output. 2023-05-03 08:08:51 +08:00
依瑪貓
8e69733cf6 Updated the login_required view decorator of the DigestAuth class, replaced writing to STDERR directly with warning through the Flask logger. 2023-05-03 08:05:28 +08:00
依瑪貓
f04ea7ac18 Advanced to version 0.6.1. 2023-05-03 06:59:27 +08:00
依瑪貓
15ea650ddd Revised the code that handles the "qop" and "stale" parameters of the "WWW-Authenticate" response HTTP header for the upcoming Werkzeug 2.4. 2023-05-03 06:58:14 +08:00
依瑪貓
5b255b6504 Split the Flask-Login login manager initialization from the init_app method to the __init_login_manager method in the DigestAuth class, to simplify the code. 2023-04-29 11:17:11 +08:00
依瑪貓
919b8d0dc3 Removed the unnecessary f-string in the __make_response_header method of the DigestAuth class. 2023-04-29 10:44:15 +08:00
依瑪貓
604ed0be27 Updated the Python version in the Read the Docs configuration. 2023-04-27 09:09:00 +08:00
13 changed files with 370 additions and 457 deletions
Show Stats Expand all files Collapse all files

3
.readthedocs.yaml
View File

@ -26,7 +26,7 @@ version: 2
build:
os: ubuntu-22.04
tools:
python: "3.7"
python: "3.8"
# Build documentation in the docs/ directory with Sphinx
@ -38,3 +38,4 @@ python:
install:
- method: pip
path: .
- requirements: docs/requirements.txt

1
docs/requirements.txt Normal file
View File

@ -0,0 +1 @@
sphinx_rtd_theme

31
docs/source/changelog.rst
View File

@ -2,6 +2,37 @@ Change Log
==========
Version 0.7.0
-------------
Released 2023/10/8
* Removed the test client. You should use httpx instead of Flask-Testing
when writing automatic tests. Flask-Testing is not maintained for more
than 3 years, and is not compatible with Flask 3 now.
* Revised to skip the tests when Flask-Login is not compatible with Werkzeug.
Version 0.6.2
-------------
Released 2023/6/10
* Changed logging from STDERR to the Flask logger.
* Test case updates:
* Added missing documentation.
* Changed properties from public to private.
* Disabled logging.
Version 0.6.1
-------------
Released 2023/5/3
* Revised the code for the upcoming Werkzeug 2.4.
Version 0.6.0
-------------

67
docs/source/examples.rst
View File

@ -199,70 +199,3 @@ In your ``my_app/views.py``:
The views only depend on Flask-Login, but not the actual
authentication mechanism. You can change the actual authentication
mechanism without changing the views.
.. _example-unittest:
A unittest Test Case
--------------------
::
from flask import Flask
from flask_digest_auth import Client
from flask_testing import TestCase
from my_app import create_app
class MyTestCase(TestCase):
def create_app(self):
app: Flask = create_app({
"TESTING": True,
"SECRET_KEY": token_urlsafe(32),
"DIGEST_AUTH_REALM": "admin",
})
app.test_client_class = Client
return app
def test_admin(self):
response = self.client.get("/admin")
self.assertEqual(response.status_code, 401)
response = self.client.get(
"/admin", digest_auth=(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
.. _example-pytest:
A pytest Test
-------------
::
import pytest
from flask import Flask
from flask_digest_auth import Client
from my_app import create_app
@pytest.fixture()
def app():
app: Flask = create_app({
"TESTING": True,
"SECRET_KEY": token_urlsafe(32),
"DIGEST_AUTH_REALM": "admin",
})
app.test_client_class = Client
yield app
@pytest.fixture()
def client(app):
return app.test_client()
def test_admin(app: Flask, client: Client):
with app.app_context():
response = client.get("/admin")
assert response.status_code == 401
response = client.get(
"/admin", digest_auth=(USERNAME, PASSWORD))
assert response.status_code == 200

8
docs/source/flask_digest_auth.rst
View File

@ -20,14 +20,6 @@ flask\_digest\_auth.auth module
:undoc-members:
:show-inheritance:
flask\_digest\_auth.test module
-------------------------------
.. automodule:: flask_digest_auth.test
:members:
:undoc-members:
:show-inheritance:
Module contents
---------------

11
docs/source/intro.rst
View File

@ -137,17 +137,6 @@ new username and password.
See :meth:`flask_digest_auth.auth.DigestAuth.logout`.
Test Client
-----------
Flask-DigestAuth comes with a test client that supports HTTP digest
authentication.
See :class:`flask_digest_auth.test.Client`.
Also see :ref:`example-unittest` and :ref:`example-pytest`.
.. _HTTP Digest Authentication: https://en.wikipedia.org/wiki/Digest_access_authentication
.. _RFC 2617: https://www.rfc-editor.org/rfc/rfc2617
.. _Flask: https://flask.palletsprojects.com

9
pyproject.toml
View File

@ -1,7 +1,7 @@
# The Flask HTTP Digest Authentication Project.
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/23
# Copyright (c) 2022-2023 imacat.
# Copyright (c) 2022-2024 imacat.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -34,13 +34,12 @@ classifiers = [
"Intended Audience :: Developers",
]
dependencies = [
"flask",
"Flask",
]
[project.optional-dependencies]
test = [
"unittest",
"flask-testing",
devel = [
"httpx",
]
[project.urls]

5
src/flask_digest_auth/__init__.py
View File

@ -1,7 +1,7 @@
# The Flask HTTP Digest Authentication Project.
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/6
# Copyright (c) 2022 imacat.
# Copyright (c) 2022-2023 imacat.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -20,7 +20,6 @@
"""
from flask_digest_auth.algo import make_password_hash, calc_response
from flask_digest_auth.auth import DigestAuth
from flask_digest_auth.test import Client
VERSION: str = "0.6.0"
VERSION: str = "0.7.0"
"""The package version."""

13
src/flask_digest_auth/auth.py
View File

@ -140,7 +140,7 @@ class DigestAuth:
return view(*args, **kwargs)
except UnauthorizedException as e:
if len(e.args) > 0:
sys.stderr.write(e.args[0] + "\n")
current_app.logger.warning(e.args[0])
response: Response = Response()
response.status = 401
response.headers["WWW-Authenticate"] \
@ -225,7 +225,7 @@ class DigestAuth:
if opaque is not None:
header += f", opaque=\"{opaque}\""
if state.stale is not None:
header += f", stale=TRUE" if state.stale else f", stale=FALSE"
header += ", stale=TRUE" if state.stale else ", stale=FALSE"
if self.algorithm is not None:
header += f", algorithm=\"{self.algorithm}\""
if len(self.__qop) > 0:
@ -344,8 +344,15 @@ class DigestAuth:
self.realm = app.config["DIGEST_AUTH_REALM"]
if hasattr(app, "login_manager"):
from flask_login import LoginManager, login_user
self.__init_login_manager(app)
def __init_login_manager(self, app: Flask) -> None:
"""Initializes the Flask-Login login manager.
:param app: The Flask application.
:return: None.
"""
from flask_login import LoginManager, login_user
login_manager: LoginManager = getattr(app, "login_manager")
@login_manager.unauthorized_handler

154
src/flask_digest_auth/test.py
View File

@ -1,154 +0,0 @@
# The Flask HTTP Digest Authentication Project.
# Author: imacat@mail.imacat.idv.tw (imacat), 2022/11/3
# Copyright (c) 2022 imacat.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The test client with HTTP digest authentication enabled.
"""
from secrets import token_urlsafe
from typing import Optional, Literal, Tuple, Dict
from flask import g
from werkzeug.datastructures import Authorization, WWWAuthenticate
from werkzeug.test import TestResponse, Client as WerkzeugClient
from flask_digest_auth.algo import calc_response, make_password_hash
class Client(WerkzeugClient):
"""The test client with HTTP digest authentication enabled.
:Example:
For unittest_:
::
class MyTestCase(flask_testing.TestCase):
def create_app(self):
app: Flask = create_app({
"SECRET_KEY": token_urlsafe(32),
"TESTING": True
})
app.test_client_class = Client
return app
def test_admin(self):
response = self.client.get("/admin")
self.assertEqual(response.status_code, 401)
response = self.client.get(
"/admin", digest_auth=(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
For pytest_:
::
@pytest.fixture()
def app():
app: Flask = create_app({
"SECRET_KEY": token_urlsafe(32),
"TESTING": True
})
app.test_client_class = Client
yield app
@pytest.fixture()
def client(app):
return app.test_client()
def test_admin(app: Flask, client: Client):
with app.app_context():
response = client.get("/admin")
assert response.status_code == 401
response = client.get(
"/admin", digest_auth=(USERNAME, PASSWORD))
assert response.status_code == 200
.. _unittest: https://docs.python.org/3/library/unittest.html
.. _pytest: https://pytest.org
"""
def open(self, *args, digest_auth: Optional[Tuple[str, str]] = None,
**kwargs) -> TestResponse:
"""Opens a request.
:param args: The arguments.
:param digest_auth: The (*username*, *password*) tuple for the HTTP
digest authentication.
:param kwargs: The keyword arguments.
:return: The response.
"""
response: TestResponse = super(Client, self).open(*args, **kwargs)
www_authenticate: WWWAuthenticate = response.www_authenticate
if not (response.status_code == 401
and www_authenticate.type == "digest"
and digest_auth is not None):
return response
if hasattr(g, "_login_user"):
delattr(g, "_login_user")
auth_data: Authorization = self.__class__.make_authorization(
www_authenticate, args[0], digest_auth[0], digest_auth[1])
response = super(Client, self).open(*args, auth=auth_data, **kwargs)
return response
@staticmethod
def make_authorization(www_authenticate: WWWAuthenticate, uri: str,
username: str, password: str) -> Authorization:
"""Composes and returns the request authorization.
:param www_authenticate: The ``WWW-Authenticate`` response.
:param uri: The request URI.
:param username: The username.
:param password: The password.
:return: The request authorization.
"""
qop: Optional[Literal["auth", "auth-int"]] = None
if www_authenticate.qop is not None and "auth" in www_authenticate.qop:
qop = "auth"
cnonce: Optional[str] = None
if qop is not None or www_authenticate.algorithm == "MD5-sess":
cnonce = token_urlsafe(8)
nc: Optional[str] = None
count: int = 1
if qop is not None:
nc: str = hex(count)[2:].zfill(8)
expected: str = calc_response(
method="GET", uri=uri,
password_hash=make_password_hash(www_authenticate.realm,
username, password),
nonce=www_authenticate.nonce, qop=qop,
algorithm=www_authenticate.algorithm, cnonce=cnonce, nc=nc,
body=None)
data: Dict[str, str] = {
"username": username, "realm": www_authenticate.realm,
"nonce": www_authenticate.nonce, "uri": uri, "response": expected}
if www_authenticate.algorithm is not None:
data["algorithm"] = www_authenticate.algorithm
if cnonce is not None:
data["cnonce"] = cnonce
if www_authenticate.opaque is not None:
data["opaque"] = www_authenticate.opaque
if qop is not None:
data["qop"] = qop
if nc is not None:
data["nc"] = nc
return Authorization("digest", data=data)

142
tests/test_auth.py
View File

@ -18,18 +18,18 @@
"""The test case for the HTTP digest authentication.
"""
import logging
import unittest
from secrets import token_urlsafe
from typing import Any, Optional, Dict
from flask import Response, Flask, g, redirect, request
from flask_testing import TestCase
from werkzeug.datastructures import WWWAuthenticate, Authorization
import httpx
from flask import Flask, g, redirect, request
from werkzeug.datastructures import WWWAuthenticate
from flask_digest_auth import DigestAuth, make_password_hash, Client
_REALM: str = "testrealm@host.com"
_USERNAME: str = "Mufasa"
_PASSWORD: str = "Circle Of Life"
from flask_digest_auth import DigestAuth, make_password_hash
from testlib import REALM, USERNAME, PASSWORD, ADMIN_1_URI, ADMIN_2_URI, \
LOGOUT_URI, make_authorization
class User:
@ -42,31 +42,38 @@ class User:
:param password: The clear-text password.
"""
self.username: str = username
self.password_hash: str = make_password_hash(
_REALM, username, password)
"""The username."""
self.password_hash: str = make_password_hash(REALM, username, password)
"""The password hash."""
self.visits: int = 0
"""The number of visits."""
class AuthenticationTestCase(TestCase):
class AuthenticationTestCase(unittest.TestCase):
"""The test case for the HTTP digest authentication."""
def create_app(self):
"""Creates the Flask application.
def setUp(self) -> None:
"""Sets up the test.
This is run once per test.
:return: The Flask application.
:return: None.
"""
logging.getLogger("test_auth").addHandler(logging.NullHandler())
app: Flask = Flask(__name__)
app.config.from_mapping({
"TESTING": True,
"SECRET_KEY": token_urlsafe(32),
"DIGEST_AUTH_REALM": _REALM,
"DIGEST_AUTH_REALM": REALM,
})
app.test_client_class = Client
self.__client: httpx.Client = httpx.Client(
app=app, base_url="https://testserver")
"""The testing client."""
auth: DigestAuth = DigestAuth()
auth.init_app(app)
self.user: User = User(_USERNAME, _PASSWORD)
user_db: Dict[str, User] = {_USERNAME: self.user}
self.__user: User = User(USERNAME, PASSWORD)
"""The user account."""
user_db: Dict[str, User] = {USERNAME: self.__user}
@auth.register_get_password
def get_password_hash(username: str) -> Optional[str]:
@ -96,7 +103,7 @@ class AuthenticationTestCase(TestCase):
"""
user.visits = user.visits + 1
@app.get("/admin-1/auth", endpoint="admin-1")
@app.get(ADMIN_1_URI, endpoint="admin-1")
@auth.login_required
def admin_1() -> str:
"""The first administration section.
@ -105,7 +112,7 @@ class AuthenticationTestCase(TestCase):
"""
return f"Hello, {g.user.username}! #1"
@app.get("/admin-2/auth", endpoint="admin-2")
@app.get(ADMIN_2_URI, endpoint="admin-2")
@auth.login_required
def admin_2() -> str:
"""The second administration section.
@ -114,7 +121,7 @@ class AuthenticationTestCase(TestCase):
"""
return f"Hello, {g.user.username}! #2"
@app.post("/logout", endpoint="logout")
@app.post(LOGOUT_URI, endpoint="logout")
@auth.login_required
def logout() -> redirect:
"""Logs out the user.
@ -124,63 +131,65 @@ class AuthenticationTestCase(TestCase):
auth.logout()
return redirect(request.form.get("next"))
return app
def test_auth(self) -> None:
"""Tests the authentication.
:return: None.
"""
response: Response = self.client.get(self.app.url_for("admin-1"))
response: httpx.Response
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(
self.app.url_for("admin-1"), digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
self.assertEqual(response.data.decode("UTF-8"),
f"Hello, {_USERNAME}! #1")
response: Response = self.client.get(self.app.url_for("admin-2"))
self.assertEqual(response.text, f"Hello, {USERNAME}! #1")
response = self.__client.get(ADMIN_2_URI)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.data.decode("UTF-8"),
f"Hello, {_USERNAME}! #2")
self.assertEqual(self.user.visits, 1)
self.assertEqual(response.text, f"Hello, {USERNAME}! #2")
self.assertEqual(self.__user.visits, 1)
def test_stale_opaque(self) -> None:
"""Tests the stale and opaque value.
:return: None.
"""
admin_uri: str = self.app.url_for("admin-1")
response: Response
response: httpx.Response
www_authenticate: WWWAuthenticate
auth_data: Authorization
auth_header: str
response = super(Client, self.client).get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
www_authenticate = response.www_authenticate
www_authenticate = WWWAuthenticate.from_header(
response.headers["WWW-Authenticate"])
self.assertEqual(www_authenticate.type, "digest")
self.assertEqual(www_authenticate.stale, None)
self.assertIsNone(www_authenticate.get("stale"))
opaque: str = www_authenticate.opaque
www_authenticate.nonce = "bad"
auth_data = Client.make_authorization(
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
response = super(Client, self.client).get(admin_uri, auth=auth_data)
auth_header = make_authorization(
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
response = self.__client.get(ADMIN_1_URI,
headers={"Authorization": auth_header})
self.assertEqual(response.status_code, 401)
www_authenticate = response.www_authenticate
self.assertEqual(www_authenticate.stale, True)
www_authenticate = WWWAuthenticate.from_header(
response.headers["WWW-Authenticate"])
self.assertEqual(www_authenticate.get("stale"), "TRUE")
self.assertEqual(www_authenticate.opaque, opaque)
auth_data = Client.make_authorization(
www_authenticate, admin_uri, _USERNAME, _PASSWORD + "2")
response = super(Client, self.client).get(admin_uri, auth=auth_data)
auth_header = make_authorization(
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD + "2")
response = self.__client.get(ADMIN_1_URI,
headers={"Authorization": auth_header})
self.assertEqual(response.status_code, 401)
www_authenticate = response.www_authenticate
self.assertEqual(www_authenticate.stale, False)
www_authenticate = WWWAuthenticate.from_header(
response.headers["WWW-Authenticate"])
self.assertEqual(www_authenticate.get("stale"), "FALSE")
self.assertEqual(www_authenticate.opaque, opaque)
auth_data = Client.make_authorization(
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
response = super(Client, self.client).get(admin_uri, auth=auth_data)
auth_header = make_authorization(
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
response = self.__client.get(ADMIN_1_URI,
headers={"Authorization": auth_header})
self.assertEqual(response.status_code, 200)
def test_logout(self) -> None:
@ -188,35 +197,34 @@ class AuthenticationTestCase(TestCase):
:return: None.
"""
admin_uri: str = self.app.url_for("admin-1")
logout_uri: str = self.app.url_for("logout")
response: Response
logout_uri: str = LOGOUT_URI
response: httpx.Response
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(admin_uri,
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 200)
response = self.client.post(logout_uri, data={"next": admin_uri})
response = self.__client.post(logout_uri, data={"next": ADMIN_1_URI})
self.assertEqual(response.status_code, 302)
self.assertEqual(response.location, admin_uri)
self.assertEqual(response.headers["Location"], ADMIN_1_URI)
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(admin_uri,
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 401)
response = self.client.get(admin_uri,
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 200)
self.assertEqual(self.user.visits, 2)
self.assertEqual(self.__user.visits, 2)

208
tests/test_flask_login.py
View File

@ -18,18 +18,21 @@
"""The test case for the Flask-Login integration.
"""
import logging
import unittest
from secrets import token_urlsafe
from typing import Optional, Dict
from flask import Response, Flask, g, redirect, request
from flask_testing import TestCase
from werkzeug.datastructures import WWWAuthenticate, Authorization
import httpx
from flask import Flask, g, redirect, request
from werkzeug.datastructures import WWWAuthenticate
from flask_digest_auth import DigestAuth, make_password_hash, Client
from flask_digest_auth import DigestAuth, make_password_hash
from testlib import REALM, USERNAME, PASSWORD, ADMIN_1_URI, ADMIN_2_URI, \
LOGOUT_URI, make_authorization
_REALM: str = "testrealm@host.com"
_USERNAME: str = "Mufasa"
_PASSWORD: str = "Circle Of Life"
SKIPPED_NO_FLASK_LOGIN: str = "Skipped without Flask-Login."
"""The message that a test is skipped when Flask-Login is not installed."""
class User:
@ -42,11 +45,15 @@ class User:
:param password: The clear-text password.
"""
self.username: str = username
self.password_hash: str = make_password_hash(
_REALM, username, password)
"""The username."""
self.password_hash: str = make_password_hash(REALM, username, password)
"""The password hash."""
self.visits: int = 0
"""The number of visits."""
self.is_active: bool = True
"""True if the account is active, or False otherwise."""
self.is_anonymous: bool = False
"""True if the account is anonymous, or False otherwise."""
def get_id(self) -> str:
"""Returns the username.
@ -67,37 +74,46 @@ class User:
return self.is_active
class FlaskLoginTestCase(TestCase):
class FlaskLoginTestCase(unittest.TestCase):
"""The test case with the Flask-Login integration."""
def create_app(self) -> Flask:
"""Creates the Flask application.
def setUp(self) -> None:
"""Sets up the test.
This is run once per test.
:return: The Flask application.
:return: None.
"""
app: Flask = Flask(__name__)
app.config.from_mapping({
logging.getLogger("test_flask_login").addHandler(logging.NullHandler())
self.app: Flask = Flask(__name__)
self.app.config.from_mapping({
"TESTING": True,
"SECRET_KEY": token_urlsafe(32),
"DIGEST_AUTH_REALM": _REALM,
"DIGEST_AUTH_REALM": REALM,
})
app.test_client_class = Client
self.__client: httpx.Client = httpx.Client(
app=self.app, base_url="https://testserver")
"""The testing client."""
self.has_flask_login: bool = True
self.__has_flask_login: bool = True
"""Whether the Flask-Login package is installed."""
try:
import flask_login
except ModuleNotFoundError:
self.has_flask_login = False
return app
self.__has_flask_login = False
return
except ImportError:
self.__has_flask_login = False
return
login_manager: flask_login.LoginManager = flask_login.LoginManager()
login_manager.init_app(app)
login_manager.init_app(self.app)
auth: DigestAuth = DigestAuth()
auth.init_app(app)
auth.init_app(self.app)
self.user: User = User(_USERNAME, _PASSWORD)
user_db: Dict[str, User] = {_USERNAME: self.user}
self.__user: User = User(USERNAME, PASSWORD)
"""The user account."""
user_db: Dict[str, User] = {USERNAME: self.__user}
@auth.register_get_password
def get_password_hash(username: str) -> Optional[str]:
@ -127,7 +143,7 @@ class FlaskLoginTestCase(TestCase):
"""
return user_db[user_id] if user_id in user_db else None
@app.get("/admin-1/auth", endpoint="admin-1")
@self.app.get(ADMIN_1_URI)
@flask_login.login_required
def admin_1() -> str:
"""The first administration section.
@ -136,7 +152,7 @@ class FlaskLoginTestCase(TestCase):
"""
return f"Hello, {flask_login.current_user.get_id()}! #1"
@app.get("/admin-2/auth", endpoint="admin-2")
@self.app.get(ADMIN_2_URI)
@flask_login.login_required
def admin_2() -> str:
"""The second administration section.
@ -145,7 +161,7 @@ class FlaskLoginTestCase(TestCase):
"""
return f"Hello, {flask_login.current_user.get_id()}! #2"
@app.post("/logout", endpoint="logout")
@self.app.post(LOGOUT_URI)
@flask_login.login_required
def logout() -> redirect:
"""Logs out the user.
@ -155,75 +171,81 @@ class FlaskLoginTestCase(TestCase):
auth.logout()
return redirect(request.form.get("next"))
return app
def test_auth(self) -> None:
"""Tests the authentication.
:return: None.
"""
if not self.has_flask_login:
self.skipTest("Skipped without Flask-Login.")
if not self.__has_flask_login:
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
response: Response = self.client.get(self.app.url_for("admin-1"))
response: httpx.Response
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(
self.app.url_for("admin-1"), digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
self.assertEqual(response.data.decode("UTF-8"),
f"Hello, {_USERNAME}! #1")
response: Response = self.client.get(self.app.url_for("admin-2"))
self.assertEqual(response.text, f"Hello, {USERNAME}! #1")
response = self.__client.get(ADMIN_2_URI)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.data.decode("UTF-8"),
f"Hello, {_USERNAME}! #2")
self.assertEqual(self.user.visits, 1)
self.assertEqual(response.text, f"Hello, {USERNAME}! #2")
self.assertEqual(self.__user.visits, 1)
def test_stale_opaque(self) -> None:
"""Tests the stale and opaque value.
:return: None.
"""
if not self.has_flask_login:
self.skipTest("Skipped without Flask-Login.")
if not self.__has_flask_login:
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
admin_uri: str = self.app.url_for("admin-1")
response: Response
response: httpx.Response
www_authenticate: WWWAuthenticate
auth_data: Authorization
auth_header: str
response = super(Client, self.client).get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
www_authenticate = response.www_authenticate
www_authenticate = WWWAuthenticate.from_header(
response.headers["WWW-Authenticate"])
self.assertEqual(www_authenticate.type, "digest")
self.assertEqual(www_authenticate.stale, None)
self.assertIsNone(www_authenticate.get("stale"))
opaque: str = www_authenticate.opaque
with self.app.app_context():
if hasattr(g, "_login_user"):
delattr(g, "_login_user")
www_authenticate.nonce = "bad"
auth_data = Client.make_authorization(
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
response = super(Client, self.client).get(admin_uri, auth=auth_data)
auth_header = make_authorization(
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
response = self.__client.get(ADMIN_1_URI,
headers={"Authorization": auth_header})
self.assertEqual(response.status_code, 401)
www_authenticate = response.www_authenticate
self.assertEqual(www_authenticate.stale, True)
www_authenticate = WWWAuthenticate.from_header(
response.headers["WWW-Authenticate"])
self.assertEqual(www_authenticate.get("stale"), "TRUE")
self.assertEqual(www_authenticate.opaque, opaque)
with self.app.app_context():
if hasattr(g, "_login_user"):
delattr(g, "_login_user")
auth_data = Client.make_authorization(
www_authenticate, admin_uri, _USERNAME, _PASSWORD + "2")
response = super(Client, self.client).get(admin_uri, auth=auth_data)
auth_header = make_authorization(
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD + "2")
response = self.__client.get(ADMIN_1_URI,
headers={"Authorization": auth_header})
self.assertEqual(response.status_code, 401)
www_authenticate = response.www_authenticate
self.assertEqual(www_authenticate.stale, False)
www_authenticate = WWWAuthenticate.from_header(
response.headers["WWW-Authenticate"])
self.assertEqual(www_authenticate.get("stale"), "FALSE")
self.assertEqual(www_authenticate.opaque, opaque)
with self.app.app_context():
if hasattr(g, "_login_user"):
delattr(g, "_login_user")
auth_data = Client.make_authorization(
www_authenticate, admin_uri, _USERNAME, _PASSWORD)
response = super(Client, self.client).get(admin_uri, auth=auth_data)
auth_header = make_authorization(
www_authenticate, ADMIN_1_URI, USERNAME, PASSWORD)
response = self.__client.get(ADMIN_1_URI,
headers={"Authorization": auth_header})
self.assertEqual(response.status_code, 200)
def test_logout(self) -> None:
@ -231,69 +253,67 @@ class FlaskLoginTestCase(TestCase):
:return: None.
"""
if not self.has_flask_login:
self.skipTest("Skipped without Flask-Login.")
if not self.__has_flask_login:
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
admin_uri: str = self.app.url_for("admin-1")
logout_uri: str = self.app.url_for("logout")
response: Response
response: httpx.Response
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(admin_uri,
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 200)
response = self.client.post(logout_uri, data={"next": admin_uri})
response = self.__client.post(LOGOUT_URI, data={"next": ADMIN_1_URI})
self.assertEqual(response.status_code, 302)
self.assertEqual(response.location, admin_uri)
self.assertEqual(response.headers["Location"], ADMIN_1_URI)
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(admin_uri,
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 401)
response = self.client.get(admin_uri,
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
response = self.client.get(admin_uri)
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 200)
self.assertEqual(self.user.visits, 2)
self.assertEqual(self.__user.visits, 2)
def test_disabled(self) -> None:
"""Tests the disabled user.
:return: None.
"""
if not self.has_flask_login:
self.skipTest("Skipped without Flask-Login.")
if not self.__has_flask_login:
self.skipTest(SKIPPED_NO_FLASK_LOGIN)
response: Response
response: httpx.Response
self.user.is_active = False
response = self.client.get(self.app.url_for("admin-1"))
self.__user.is_active = False
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(self.app.url_for("admin-1"),
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 401)
self.user.is_active = True
response = self.client.get(self.app.url_for("admin-1"),
digest_auth=(_USERNAME, _PASSWORD))
self.__user.is_active = True
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 200)
response = self.client.get(self.app.url_for("admin-1"))
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 200)
self.user.is_active = False
response = self.client.get(self.app.url_for("admin-1"))
self.__user.is_active = False
response = self.__client.get(ADMIN_1_URI)
self.assertEqual(response.status_code, 401)
response = self.client.get(self.app.url_for("admin-1"),
digest_auth=(_USERNAME, _PASSWORD))
response = self.__client.get(ADMIN_1_URI,
auth=httpx.DigestAuth(USERNAME, PASSWORD))
self.assertEqual(response.status_code, 401)

87
tests/testlib.py Normal file
View File

@ -0,0 +1,87 @@
# The Flask HTTP Digest Authentication Project.
# Author: imacat@mail.imacat.idv.tw (imacat), 2023/10/5
# Copyright (c) 2023 imacat.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The common test libraries.
"""
from secrets import token_urlsafe
from typing import Optional, Literal, Dict
from werkzeug.datastructures import Authorization, WWWAuthenticate
from werkzeug.http import parse_set_header
from flask_digest_auth import calc_response, make_password_hash
REALM: str = "testrealm@host.com"
"""The realm."""
USERNAME: str = "Mufasa"
"""The username."""
PASSWORD: str = "Circle Of Life"
"""The password."""
ADMIN_1_URI: str = "/admin-1/auth"
"""The first administration URI."""
ADMIN_2_URI: str = "/admin-2/auth"
"""The first administration URI."""
LOGOUT_URI: str = "/logout"
"""The log out URI."""
def make_authorization(www_authenticate: WWWAuthenticate, uri: str,
username: str, password: str) -> str:
"""Composes and returns the request authorization.
:param www_authenticate: The ``WWW-Authenticate`` response.
:param uri: The request URI.
:param username: The username.
:param password: The password.
:return: The request authorization header.
"""
qop: Optional[Literal["auth", "auth-int"]] = None
if "auth" in parse_set_header(www_authenticate.get("qop")):
qop = "auth"
cnonce: Optional[str] = None
if qop is not None or www_authenticate.algorithm == "MD5-sess":
cnonce = token_urlsafe(8)
nc: Optional[str] = None
count: int = 1
if qop is not None:
nc: str = hex(count)[2:].zfill(8)
expected: str = calc_response(
method="GET", uri=uri,
password_hash=make_password_hash(www_authenticate.realm,
username, password),
nonce=www_authenticate.nonce, qop=qop,
algorithm=www_authenticate.algorithm, cnonce=cnonce, nc=nc,
body=None)
data: Dict[str, str] = {
"username": username, "realm": www_authenticate.realm,
"nonce": www_authenticate.nonce, "uri": uri, "response": expected}
if www_authenticate.algorithm is not None:
data["algorithm"] = www_authenticate.algorithm
if cnonce is not None:
data["cnonce"] = cnonce
if www_authenticate.opaque is not None:
data["opaque"] = www_authenticate.opaque
if qop is not None:
data["qop"] = qop
if nc is not None:
data["nc"] = nc
return str(Authorization("digest", data=data))