pyceo/tests/conftest_ceod_api.py

from base64 import b64encode
import contextlib
import os
import json
import socket
import subprocess
import tempfile

from flask import g
from flask.testing import FlaskClient
import gssapi
import pytest
from requests import Request
from requests_gssapi import HTTPSPNEGOAuth

from ceo_common.krb5.utils import get_fwd_tgt

__all__ = ['client']


@pytest.fixture(scope='session')
def client(app):
    app_client = app.test_client()
    with tempfile.TemporaryDirectory() as cache_dir:
        yield CeodTestClient(app_client, cache_dir)


class CeodTestClient:
    def __init__(self, app_client: FlaskClient, cache_dir: str):
        self.client = app_client
        self.syscom_principal = 'ctdalek'
        # this is only used for the HTTPSNEGOAuth
        self.base_url = f'http://{socket.getfqdn()}'
        # for each principal for which we acquired a TGT, map their
        # username to a file (ccache) storing their TGT
        self.principal_ccaches = {}
        # this is where we'll store the credentials for each principal
        self.cache_dir = cache_dir

    @contextlib.contextmanager
    def krb5ccname_env(self, principal):
        """Temporarily change KRB5CCNAME to the ccache of the principal."""
        old_krb5ccname = os.environ['KRB5CCNAME']
        os.environ['KRB5CCNAME'] = self.principal_ccaches[principal]
        try:
            yield
        finally:
            os.environ['KRB5CCNAME'] = old_krb5ccname

    def get_auth(self, principal):
        """Acquire a HTTPSPNEGOAuth instance for the principal."""
        name = gssapi.Name(principal)
        # the 'store' arg doesn't seem to work for DIR ccaches
        with self.krb5ccname_env(principal):
            creds = gssapi.Credentials(name=name, usage='initiate')
        auth = HTTPSPNEGOAuth(
            opportunistic_auth=True,
            target_name='ceod',
            creds=creds,
        )
        return auth

    def kinit(self, principal):
        """Acquire an initial TGT for the principal."""
        # For some reason, kinit with the '-c' option deletes the other
        # credentials in the cache collection, so we need to override the
        # env variable
        subprocess.run(
            ['kinit', principal],
            text=True, input='krb5', check=True, stdout=subprocess.DEVNULL,
            env={'KRB5CCNAME': self.principal_ccaches[principal]})

    def get_headers(self, principal):
        if principal not in self.principal_ccaches:
            _, filename = tempfile.mkstemp(dir=self.cache_dir)
            self.principal_ccaches[principal] = filename
            self.kinit(principal)
        # Get the Authorization header (SPNEGO).
        # The method doesn't matter here because we just need to extract
        # the header using req.prepare().
        req = Request('GET', self.base_url, auth=self.get_auth(principal))
        headers = list(req.prepare().headers.items())
        # Get the X-KRB5-CRED header (forwarded TGT).
        cred = b64encode(get_fwd_tgt(
            'ceod/' + socket.getfqdn(), self.principal_ccaches[principal]
        )).decode()
        headers.append(('X-KRB5-CRED', cred))
        return headers

    def request(self, method, path, principal, **kwargs):
        # Make sure that we're not already in a request context, otherwise
        # g will get overridden
        with pytest.raises(RuntimeError):
            '' in g
        if principal is None:
            principal = self.syscom_principal
        resp = self.client.open(
            path, method=method, headers=self.get_headers(principal), **kwargs)
        status = int(resp.status.split(' ', 1)[0])
        if resp.headers['content-type'] == 'application/json':
            data = json.loads(resp.data)
        else:
            data = [json.loads(line) for line in resp.data.splitlines()]
        return status, data

    def get(self, path, principal=None, **kwargs):
        return self.request('GET', path, principal, **kwargs)

    def post(self, path, principal=None, **kwargs):
        return self.request('POST', path, principal, **kwargs)

    def patch(self, path, principal=None, **kwargs):
        return self.request('PATCH', path, principal, **kwargs)

    def delete(self, path, principal=None, **kwargs):
        return self.request('DELETE', path, principal, **kwargs)
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`from base64 import b64encode`
add simple authz tests 2021-08-19 16:33:44 -04:00			`import contextlib`
			`import os`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`import json`
			`import socket`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`import subprocess`
			`import tempfile`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00
add tests for Mailman API 2021-08-19 12:14:41 -04:00			`from flask import g`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`from flask.testing import FlaskClient`
			`import gssapi`
			`import pytest`
			`from requests import Request`
			`from requests_gssapi import HTTPSPNEGOAuth`

add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`from ceo_common.krb5.utils import get_fwd_tgt`

			`__all__ = ['client']`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00

			`@pytest.fixture(scope='session')`
			`def client(app):`
			`app_client = app.test_client()`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`with tempfile.TemporaryDirectory() as cache_dir:`
			`yield CeodTestClient(app_client, cache_dir)`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00

			`class CeodTestClient:`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`def __init__(self, app_client: FlaskClient, cache_dir: str):`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`self.client = app_client`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`self.syscom_principal = 'ctdalek'`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`# this is only used for the HTTPSNEGOAuth`
			`self.base_url = f'http://{socket.getfqdn()}'`
add simple authz tests 2021-08-19 16:33:44 -04:00			`# for each principal for which we acquired a TGT, map their`
			`# username to a file (ccache) storing their TGT`
			`self.principal_ccaches = {}`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`# this is where we'll store the credentials for each principal`
add simple authz tests 2021-08-19 16:33:44 -04:00			`self.cache_dir = cache_dir`

			`@contextlib.contextmanager`
			`def krb5ccname_env(self, principal):`
			`"""Temporarily change KRB5CCNAME to the ccache of the principal."""`
			`old_krb5ccname = os.environ['KRB5CCNAME']`
			`os.environ['KRB5CCNAME'] = self.principal_ccaches[principal]`
			`try:`
			`yield`
			`finally:`
			`os.environ['KRB5CCNAME'] = old_krb5ccname`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00
			`def get_auth(self, principal):`
add simple authz tests 2021-08-19 16:33:44 -04:00			`"""Acquire a HTTPSPNEGOAuth instance for the principal."""`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`name = gssapi.Name(principal)`
add simple authz tests 2021-08-19 16:33:44 -04:00			`# the 'store' arg doesn't seem to work for DIR ccaches`
			`with self.krb5ccname_env(principal):`
			`creds = gssapi.Credentials(name=name, usage='initiate')`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`auth = HTTPSPNEGOAuth(`
			`opportunistic_auth=True,`
			`target_name='ceod',`
			`creds=creds,`
			`)`
			`return auth`

add simple authz tests 2021-08-19 16:33:44 -04:00			`def kinit(self, principal):`
			`"""Acquire an initial TGT for the principal."""`
			`# For some reason, kinit with the '-c' option deletes the other`
			`# credentials in the cache collection, so we need to override the`
			`# env variable`
			`subprocess.run(`
			`['kinit', principal],`
			`text=True, input='krb5', check=True, stdout=subprocess.DEVNULL,`
			`env={'KRB5CCNAME': self.principal_ccaches[principal]})`

move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`def get_headers(self, principal):`
add simple authz tests 2021-08-19 16:33:44 -04:00			`if principal not in self.principal_ccaches:`
			`_, filename = tempfile.mkstemp(dir=self.cache_dir)`
			`self.principal_ccaches[principal] = filename`
			`self.kinit(principal)`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`# Get the Authorization header (SPNEGO).`
			`# The method doesn't matter here because we just need to extract`
			`# the header using req.prepare().`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`req = Request('GET', self.base_url, auth=self.get_auth(principal))`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`headers = list(req.prepare().headers.items())`
			`# Get the X-KRB5-CRED header (forwarded TGT).`
add simple authz tests 2021-08-19 16:33:44 -04:00			`cred = b64encode(get_fwd_tgt(`
			`'ceod/' + socket.getfqdn(), self.principal_ccaches[principal]`
			`)).decode()`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`headers.append(('X-KRB5-CRED', cred))`
			`return headers`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00
			`def request(self, method, path, principal, **kwargs):`
add tests for Mailman API 2021-08-19 12:14:41 -04:00			`# Make sure that we're not already in a request context, otherwise`
			`# g will get overridden`
			`with pytest.raises(RuntimeError):`
			`'' in g`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`if principal is None:`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`principal = self.syscom_principal`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`resp = self.client.open(`
			`path, method=method, headers=self.get_headers(principal), **kwargs)`
			`status = int(resp.status.split(' ', 1)[0])`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`if resp.headers['content-type'] == 'application/json':`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`data = json.loads(resp.data)`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`else:`
			`data = [json.loads(line) for line in resp.data.splitlines()]`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`return status, data`

			`def get(self, path, principal=None, **kwargs):`
			`return self.request('GET', path, principal, **kwargs)`

			`def post(self, path, principal=None, **kwargs):`
			`return self.request('POST', path, principal, **kwargs)`

add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`def patch(self, path, principal=None, **kwargs):`
			`return self.request('PATCH', path, principal, **kwargs)`

move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`def delete(self, path, principal=None, **kwargs):`
			`return self.request('DELETE', path, principal, **kwargs)`