o >h@sUdZddlmZddlmZddlmZddlmZm Z ddl m Z ddl m Z mZmZddlmZdd lmZmZdd lmZmZdd lmZdd lmZdd lmZdZeeed<edr~ddl m!Z!ddl"mZm#Z#m$Z$ddl%m&Z&ddl'm(Z(nGdddZ#GdddZ$Gddde$j)Z*Gddde$j)Z+Gddde$j)Z,Gdd d e#j-Z.eeGd!d"d"Z/ee Gd#d$d$Z0ee Gd%d&d&Z1ee Gd'd(d(Z2Gd)d*d*ej3Z4Gd+d,d,ej3Z5Gd-d.d.ej3Z6Gd/d0d0ej3Z7dS)1zT Tests for the implementation of the ssh-userauth service. Maintainer: Paul Swartz ) ModuleType)Optional) implementer) ConchErrorValidPublicKey)ICredentialsChecker) IAnonymousISSHPrivateKeyIUsernamePassword)UnauthorizedLogin)IRealmPortal)defertask)loopback) requireModule)unittestNkeys cryptography)SSHProtocolChecker)r transportuserauth)NS)keydatac@eZdZGdddZdS)rc@eZdZdZdS)ztransport.SSHTransportBaseQ A stub class so that later class definitions won't die. N__name__ __module__ __qualname____doc__r"r"/var/www/vedio/testing/chatpythonscript.ninositsolution.com/env/lib/python3.10/site-packages/twisted/conch/test/test_userauth.pySSHTransportBase"r$N)rrr r$r"r"r"r#r!rc@r)rc@r)zuserauth.SSHUserAuthClientrNrr"r"r"r#SSHUserAuthClient(r%r'N)rrr r'r"r"r"r#r'r&rc@s2eZdZdZddZddZd ddZd d ZdS) ClientUserAuthz" A mock user auth client. cCs(|jr tjtjSttjtjS)z If this is the first time we've been called, return a blob for the DSA key. Otherwise, return a blob for the RSA key. ) lastPublicKeyrKey fromStringrpublicRSA_opensshrsucceedpublicDSA_opensshselfr"r"r# getPublicKey3szClientUserAuth.getPublicKeycCsttjtjS)z@ Return the private key object for the RSA key. )rr-rr*r+rprivateRSA_opensshr/r"r"r# getPrivateKey>zClientUserAuth.getPrivateKeyNcC tdS)z/ Return 'foo' as the password. foorr-)r0promptr"r"r# getPasswordD zClientUserAuth.getPasswordcCr5)z> Return 'foo' as the answer to two questions. )foor;r7)r0name informationanswersr"r"r#getGenericAnswersJr:z ClientUserAuth.getGenericAnswersN)rrr r!r1r3r9r?r"r"r"r#r(.s   r(c@ eZdZdZddZddZdS) OldClientAuthz~ The old SSHUserAuthClient returned a cryptography key object from getPrivateKey() and a string from getPublicKey cCsttjtjjSr@)rr-rr*r+rr2 keyObjectr/r"r"r#r3WzOldClientAuth.getPrivateKeycCstjtjSr@)rr*r+rr,blobr/r"r"r#r1ZszOldClientAuth.getPublicKeyNrrr r!r3r1r"r"r"r#rBQs rBc@rA)ClientAuthWithoutPrivateKeyzP This client doesn't have a private key, but it does have a public key. cCdSr@r"r/r"r"r#r3cz)ClientAuthWithoutPrivateKey.getPrivateKeycCstjtjSr@)rr*r+rr,r/r"r"r#r1fz(ClientAuthWithoutPrivateKey.getPublicKeyNrFr"r"r"r#rG^s rGc@sLeZdZdZGdddZGdddZddZdd Zd d Zd d Z dS) FakeTransporta_ L{userauth.SSHUserAuthServer} expects an SSH transport which has a factory attribute which has a portal attribute. Because the portal is important for testing authentication, we need to be able to provide an interesting portal object to the L{SSHUserAuthServer}. In addition, we want to be able to capture any packets sent over the transport. @ivar packets: a list of 2-tuples: (messageType, data). Each 2-tuple is a sent packet. @type packets: C{list} @param lostConnecion: True if loseConnection has been called on us. @type lostConnection: L{bool} c@seZdZdZdZddZdS)zFakeTransport.ServicezW A mock service, representing the other service offered by the server. nancycCrHr@r"r/r"r"r#serviceStartedrIz$FakeTransport.Service.serviceStartedN)rrr r!r<rMr"r"r"r#Service{s rNc@eZdZdZddZdS)zFakeTransport.Factoryzg A mock factory, representing the factory that spawned this user auth service. cCs|dkrtjSdS)z2 Return our fake service. noneN)rKrN)r0rservicer"r"r# getServicesz FakeTransport.Factory.getServiceN)rrr r!rRr"r"r"r#Factorys rScCs(||_||j_d|_||_g|_dSNF)rSfactoryportallostConnectionrpackets)r0rVr"r"r#__init__s  zFakeTransport.__init__cCs|j||fdS)z8 Record the packet sent by the service. N)rXappend)r0 messageTypemessager"r"r# sendPacketr4zFakeTransport.sendPacketcCdS)z Pretend that this transport encrypts traffic in both directions. The SSHUserAuthServer disables password authentication if the transport isn't encrypted. Tr")r0 directionr"r"r# isEncryptedszFakeTransport.isEncryptedcCs d|_dSNT)rWr/r"r"r#loseConnections zFakeTransport.loseConnectionN) rrr r!rNrSrYr]r`rbr"r"r"r#rKjs   rKc@rO)Realmz A mock realm for testing L{userauth.SSHUserAuthServer}. This realm is not actually used in the course of testing, so it returns the simplest thing that could possibly work. cGst|ddddfS)NrcSrHr@r"r"r"r"r#z%Realm.requestAvatar..r7)r0avatarIdmind interfacesr"r"r# requestAvatarszRealm.requestAvatarN)rrr r!rir"r"r"r#rcs rcc@eZdZdZefZddZdS)PasswordCheckerz A very simple username/password checker which authenticates anyone whose password matches their username and rejects all others. cCs&|j|jkr t|jSttdS)NzInvalid username/password pair)usernamepasswordrr-failr )r0credsr"r"r#requestAvatarIds  zPasswordChecker.requestAvatarIdN)rrr r!r credentialInterfacesrpr"r"r"r#rk rkc@rj)PrivateKeyCheckerz A very simple public key checker which authenticates anyone whose public/private keypair is the same keydata.public/privateRSA_openssh. cCsX|jtjtjkr)|jdur&tj|j}||j|jr#|j St t t r@) rErr*r+rr, signatureverifysigDatarlrr )r0roobjr"r"r#rps z!PrivateKeyChecker.requestAvatarIdN)rrr r!r rqrpr"r"r"r#rsrrrsc@rj)AnonymousCheckerzI A simple checker which isn't supported by L{SSHUserAuthServer}. cCrHr@r")r0 credentialsr"r"r#rpsz AnonymousChecker.requestAvatarIdN)rrr r!rrqrpr"r"r"r#rxs rxc@seZdZdZedur dZddZddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+ZdS),SSHUserAuthServerTestsz& Tests for SSHUserAuthServer. Ncannot run without cryptographycCsbt|_t|j|_|jt|jtt|_ t |j|j _ |j |j j dSr@)rcrealmr rVregisterCheckerrkrsrSSHUserAuthServer authServerrKrrMsupportedAuthenticationssortr/r"r"r#setUps   zSSHUserAuthServerTests.setUpcC|jd|_dSr@)rserviceStoppedr/r"r"r#tearDown  zSSHUserAuthServerTests.tearDowncCs(||jjjdtjtddfdS)z; Check that the authentication has failed. spassword,publickeyN) assertEqualrrrXrMSG_USERAUTH_FAILURErr0ignoredr"r"r# _checkFaileds z#SSHUserAuthServerTests._checkFailedcCs,|jtdtdtd}||jS)z A client may request a list of authentication 'method name' values that may continue by using the "none" authentication 'method name'. See RFC 4252 Section 5.2. r6sservicerP)rssh_USERAUTH_REQUESTr addCallbackr)r0dr"r"r#test_noneAuthentications z.SSHUserAuthServerTests.test_noneAuthenticationcsFdtdtdtddtdg}j|}fdd}||S)z When provided with correct password authentication information, the server should respond by sending a MSG_USERAUTH_SUCCESS message with no other data. See RFC 4252, Section 5.1. r6rPpasswordrcjjjtjdfgdSNrrrrrXrMSG_USERAUTH_SUCCESSrr/r"r#check zKSSHUserAuthServerTests.test_successfulPasswordAuthentication..check)joinrrrrr0packetrrr"r/r#%test_successfulPasswordAuthentications$   z.check)rr*r+rr,rEr2rsshTyperr sessionIDsignbytesrMSG_USERAUTH_REQUESTrr)r0rErwrrtrrr"r/r#'test_successfulPrivateKeyAuthentication8s,      z>SSHUserAuthServerTests.test_successfulPrivateKeyAuthenticationcstdd}dd}fdd}||jd|||jd|||jd |td td td td }|j||tS)z ssh_USERAUTH_REQUEST should raise a ConchError if tryAuth returns None. Added to catch a bug noticed by pyflakes. cSs|ddS)Nz&request should have raised ConochError)rnrr"r"r#mockCbFinishedAuth\rJzOSSHUserAuthServerTests.test_requestRaisesConchError..mockCbFinishedAuthcSrHr@r")kinduserdatar"r"r# mockTryAuth_rIzHSSHUserAuthServerTests.test_requestRaisesConchError..mockTryAuthcs|jdSr@)errbackvalue)reasonrr"r# mockEbBadAuthbszJSSHUserAuthServerTests.test_requestRaisesConchError..mockEbBadAuthtryAuth_cbFinishedAuth _ebBadAuthsuserrPs public-keysdata)rDeferredpatchrrr assertFailurer)r0rrrrr"rr#test_requestRaisesConchErrorUs    z3SSHUserAuthServerTests.test_requestRaisesConchErrorcsbtjtjtdtdtddtdt}j|}fdd}| |S)z@ Test that verifying a valid private key works. r6rPrrssh-rsacs*jjjtjtdtfgdS)Nr)rrrrXrMSG_USERAUTH_PK_OKrrrEr0r"r#r~sz@SSHUserAuthServerTests.test_verifyValidPrivateKey..check) rr*r+rr,rErrrrrr"rr#test_verifyValidPrivateKeyos   z1SSHUserAuthServerTests.test_verifyValidPrivateKeycCsVtjtj}tdtdtddtdt|}|j|}| |j S)d Test that private key authentication fails when the public key is invalid. r6rPrrsssh-dsa rr*r+rr.rErrrrrr0rErrr"r"r#3test_failedPrivateKeyAuthenticationWithoutSignatures  zJSSHUserAuthServerTests.test_failedPrivateKeyAuthenticationWithoutSignaturecCs|tjtj}tjtj}tdtdtddtdt|t||}d|j j _ |j |}| |jS)rr6rPrrrr)rr*r+rr,rEr2rrrrrrrr)r0rErwrrr"r"r#0test_failedPrivateKeyAuthenticationWithSignatures&   zGSSHUserAuthServerTests.test_failedPrivateKeyAuthenticationWithSignaturecCsjtjtj}td|dd}tdtdtddtdt|}|j|}| |j S) z Private key authentication fails when the public key type is unsupported or the public key is corrupt. s ssh-bad-type Nr6rPrrrrrr"r"r#test_unsupported_publickeys   z1SSHUserAuthServerTests.test_unsupported_publickeycCsRt}t|j|_|jt|||j | |j ddgdS)ah L{SSHUserAuthServer} sets up C{SSHUserAuthServer.supportedAuthentications} by checking the portal's credentials interfaces and mapping them to SSH authentication method strings. If the Portal advertises an interface that L{SSHUserAuthServer} can't map, it should be ignored. This is a white box test. rrN) rr~rKrVrr}rxrMrrrrr0serverr"r"r# test_ignoreUnknownCredInterfacess  z7SSHUserAuthServerTests.test_ignoreUnknownCredInterfacescCs|d|jjt}t|j|_dd|j_| | | d|jt}t|j|_dd|j_| | |d|jdS)z Test that the userauth service does not advertise password authentication if the password would be send in cleartext. rcSr^rTr"xr"r"r#rdrezISSHUserAuthServerTests.test_removePasswordIfUnencrypted..cS|dkSNinr"rr"r"r#rdN) assertInrrrr~rKrVrr`rMr assertNotIn)r0clearAuthServerhalfAuthServerr"r"r# test_removePasswordIfUnencrypteds    z7SSHUserAuthServerTests.test_removePasswordIfUnencryptedcCst|j}|tt}t||_dd|j_| | | |j dgt}t||_dd|j_| | | |j dgdS)z If the L{SSHUserAuthServer} is not advertising passwords, then an unencrypted connection should not cause any warnings or exceptions. This is a white box test. cSr^rTr"rr"r"r#rdrezSSSHUserAuthServerTests.test_unencryptedConnectionWithoutPasswords..rcSrrr"rr"r"r#rdrN) r r|r}rsrr~rKrr`rMrrr)r0rVrrr"r"r#*test_unencryptedConnectionWithoutPasswordss      zASSHUserAuthServerTests.test_unencryptedConnectionWithoutPasswordscCst}t|_t|j|_||j d| | |jj tj dttjftdtdfg||jjdS)z0 Test that the login times out. 鰚syou took too longrN)rr~rrrrKrVrrMrrrrXMSG_DISCONNECTr)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLEr assertTruerWr0timeoutAuthServerr"r"r#test_loginTimeouts(     z(SSHUserAuthServerTests.test_loginTimeoutcCs\t}t|_t|j|_|| |j d| |jj g| |jjdS)zN Test that stopping the service also stops the login timeout. rN)rr~rrrrKrVrrMrrrrX assertFalserWrr"r"r#test_cancelLoginTimeouts   z.SSHUserAuthServerTests.test_cancelLoginTimeoutcsndtdtdtddtdg}tj_tdD]}j|}jjdqfd d }| |S) zm Test that the server disconnects if the client fails authentication too many times. rr6rPrrrrcs<jjjdtjdttjftdtdfdS)Nrrstoo many bad authsr)rrrrXrrrrrr/r"r#r1s  z:SSHUserAuthServerTests.test_tooManyAttempts..check) rrrrrrrangerrr)r0rirrr"r/r#test_tooManyAttempts&s$     z+SSHUserAuthServerTests.test_tooManyAttemptscCsHtdtdtddtd}t|j_|j|}||jS)zo If the user requests a service that we don't support, the authentication should fail. r6rrr)rrrrrrrrrr"r"r#test_failIfUnknownService?s$   z0SSHUserAuthServerTests.test_failIfUnknownServicecsVdd}jd|jddfdd}jddd}|t|S) aZ tryAuth() has two edge cases that are difficult to reach. 1) an authentication method auth_* returns None instead of a Deferred. 2) an authentication type that is defined does not have a matching auth_* method. Both these cases should return a Deferred which fails with a ConchError. cSrHr@r")rr"r"r#mockAuthUrIz>SSHUserAuthServerTests.test_tryAuthEdgeCases..mockAuthauth_publickey auth_passwordNcsjddd}|tS)Nr)rrrr)rd2r/r"r# secondTest[s z@SSHUserAuthServerTests.test_tryAuthEdgeCases..secondTestr)rrrrrr)r0rrd1r"r/r#test_tryAuthEdgeCasesIs   z,SSHUserAuthServerTests.test_tryAuthEdgeCases)rrr r!rskiprrrrrrrrrrrrrrrrrrrrr"r"r"r#rzs0     rzc@seZdZdZedur dZddZddZdd Zd d Z d d Z ddZ ddZ ddZ ddZddZddZddZddZddZd d!ZdS)"SSHUserAuthClientTestsz& Tests for SSHUserAuthClient. Nr{cCs4tdt|_td|j_d|jj_|jdS)Nr6r)r(rKrN authClientrrrMr/r"r"r#rks  zSSHUserAuthClientTests.setUpcCrr@)rrr/r"r"r#rqrzSSHUserAuthClientTests.tearDowncCsT||jjd||jjjd||jjjtjt dt dt dfgdS)z; Test that client is initialized properly. r6rLrPN) rrrinstancer<rrXrrrr/r"r"r# test_initus z SSHUserAuthClientTests.test_initcs@dgfdd}||jj_|jd|d|jjdS)z9 Test that the client succeeds properly. Ncs |d<dS)Nrr")rQrr"r#stubSetServices zDSSHUserAuthClientTests.test_USERAUTH_SUCCESS..stubSetServicerr)rr setServicessh_USERAUTH_SUCCESSrr)r0rr"rr#test_USERAUTH_SUCCESSs    z,SSHUserAuthClientTests.test_USERAUTH_SUCCESSc Cs|jtdd||jjjdtjtdtdtddtdttj t j  f|jtddttj t j }||jjjdtjtdtdtddtd|f|jtdttj t j t|jjjttjftdtdtddtd|}tj t j}||jjjdtjtdtdtddtd|t||fd S) zJ Test that the client can authenticate with a public key. rrrr6rLsssh-dssrN)rssh_USERAUTH_FAILURErrrrXrrrr*r+rr.rEr,ssh_USERAUTH_PK_OKrrr2r)r0rErvrwr"r"r#test_publickeys        z%SSHUserAuthClientTests.test_publickeycCsztdt}td|_d|j_||dg|j_|| d| |jjt j t dt dt dfgdS)z If the SSHUserAuthClient doesn't return anything from signData, the client should start the authentication over again by requesting 'none' authentication. r6NrrrrLrP)rGrKrNrrrMrrX assertIsNonerrrrr)r0rr"r"r#!test_publickey_without_privatekeys  z8SSHUserAuthClientTests.test_publickey_without_privatekeycs.ddj_jd}fdd}||S)z{ If there's no public key, auth_publickey should return a Deferred called back with a False value. cSrHr@r"rr"r"r#rdrez:SSHUserAuthClientTests.test_no_publickey..rcs|dSr@)rresultr/r"r#rrJz7SSHUserAuthClientTests.test_no_publickey..check)rr1rr)r0rrr"r/r#test_no_publickeys    z(SSHUserAuthClientTests.test_no_publickeycCs|jtdd||jjjdtjtdtdtddtdf|jtdtd||jjjdtjtdtdtddtddfd S) zx Test that the client can authentication with a password. This includes changing the password. rrrr6rLrrrN) rrrrrrXrrrr/r"r"r# test_passwords " &z$SSHUserAuthClientTests.test_passwordcCs"dd|j_||jddS)zK If getPassword returns None, tryAuth should return False. cSrHr@r"r"r"r"r#rdrez9SSHUserAuthClientTests.test_no_password..rN)rr9rrr/r"r"r#test_no_passwords z'SSHUserAuthClientTests.test_no_passwordcCs`|jtdtdtddtdd||jjjdtjdtdtdfdS) zj Make sure that the client can authenticate with the keyboard interactive method. rss Password: rrsr6N)r'ssh_USERAUTH_PK_OK_keyboard_interactiverrrrXrMSG_USERAUTH_INFO_RESPONSEr/r"r"r#test_keyboardInteractives& z/SSHUserAuthClientTests.test_keyboardInteractivecCsPd|j_g|jj_|jd||jjjtjtdtdtdfgdS)z If C{SSHUserAuthClient} gets a MSG_USERAUTH_PK_OK packet when it's not expecting it, it should fail the current authentication and move on to the next type. sunknownrr6rLrPN) rlastAuthrrXrrrrrr/r"r"r#"test_USERAUTH_PK_OK_unknown_methods  z9SSHUserAuthClientTests.test_USERAUTH_PK_OK_unknown_methodcsfdd}fdd}|j_|j_jtddjjjdtj tdtd td dtdfjtd d jjjd dddgdS)z ssh_USERAUTH_FAILURE should sort the methods by their position in SSHUserAuthClient.preferredOrder. Methods that are not in preferredOrder should be sorted at the end of that list. csjjdddS)N here is datarrr]r"r/r"r#auth_firstmethod2szNSSHUserAuthClientTests.test_USERAUTH_FAILURE_sorting..auth_firstmethodcsjjdddS)N other dataTr r"r/r"r#auth_anothermethod5szPSSHUserAuthClientTests.test_USERAUTH_FAILURE_sorting..auth_anothermethodsanothermethod,passwordrrr6rLrs"firstmethod,anothermethod,passwordrN)r r )rr) rr rrrrrrXrr)r0r rr"r/r#test_USERAUTH_FAILURE_sorting+s$   " z4SSHUserAuthClientTests.test_USERAUTH_FAILURE_sortingcCsT|jtdd|jtdd||jjjdtjdtddfdS) z If there are no more available user authentication messages, the SSHUserAuthClient should disconnect with code DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE. rrrrss(no more authentication methods availablesN)rrrrrrXrr/r"r"r#%test_disconnectIfNoMoreAuthenticationOs z.checkcs*|tddd}|jSr@)rrr?rrnrr)rcheck3r0r"r#r{s z4SSHUserAuthClientTests.test_defaults..check2cSs|tdSr@)rrrr"r"r#rrJz4SSHUserAuthClientTests.test_defaults..check3) rr'rKrNrr1r3rrnr)r0rrr")rrrr0r# test_defaultsmsz$SSHUserAuthClientTests.test_defaults)rrr r!rrrrrrrrrrrrr rrrrr"r"r"r#rcs&  > $ rc@s.eZdZedur dZGdddZddZdS) LoopbackTestsNr{c@s"eZdZGdddZddZdS)zLoopbackTests.Factoryc@rA)zLoopbackTests.Factory.Service TestServicecCs|jdSr@)rrbr/r"r"r#rMrJz,LoopbackTests.Factory.Service.serviceStartedcCrHr@r"r/r"r"r#rrIz,LoopbackTests.Factory.Service.serviceStoppedN)rrr r<rMrr"r"r"r#rNs rNcCs|jSr@)rN)r0avatarr<r"r"r#rRsz LoopbackTests.Factory.getServiceN)rrr rNrRr"r"r"r#rSs rScs ttdj}t_j_ddj_t|_||j_dj_ |j_ ddj_ |j_ j_ d_ t }t|}tttfdd_||jj _tj|j}ddjj_d d|jj_|fd d }||S) zW Test that the userauth server and client play nicely with each other. r6cSr^rar"rr"r"r#rdrez-LoopbackTests.test_loopback..rcSrHr@r"r"r"r"r#rdrercstj|dkS)Nr)lensuccessfulCredentials)aId)checkerr"r#rdscSr^)N_ServerLoopbackr"r"r"r"r#rdrecSr^)N_ClientLoopbackr"r"r"r"r#rdrecsjjjddS)Nr)rrrQr<rrr"r#rrDz*LoopbackTests.test_loopback..check)rr~r(rSrNrr$rQr`r sendKexInitrU passwordDelayrcr rr}rkrsareDonerVr loopbackAsync logPrefixrMr)r0clientr|rVrrr")r#r0rr# test_loopbacks4         zLoopbackTests.test_loopback)rrr rrrSr,r"r"r"r#rs  rc@s eZdZedur dZddZdS)ModuleInitializationTestsNr{cCs,|tjjdd|tjjdddS)N<r)rrr~protocolMessagesr'r/r"r"r# test_messagess   z'ModuleInitializationTests.test_messages)rrr rrr0r"r"r"r#r-s r-)8r!typesrtypingrzope.interfacertwisted.conch.errorrrtwisted.cred.checkersrtwisted.cred.credentialsrr r twisted.cred.errorr twisted.cred.portalr r twisted.internetrrtwisted.protocolsrtwisted.python.reflectr twisted.trialrr__annotations__twisted.conch.checkersrtwisted.conch.sshrrtwisted.conch.ssh.commonrtwisted.conch.testrr'r(rBrGr$rKrcrkrsrxTestCaserzrrr-r"r"r"r#sR          #  A  }&;