pyceo/tests/conftest_ceod_api.py

from base64 import b64encode
import json
import socket

from flask import g
from flask.testing import FlaskClient
import gssapi
import pytest
from requests import Request
from requests_gssapi import HTTPSPNEGOAuth

from ceo_common.krb5.utils import get_fwd_tgt
from .utils import krb5ccname_ctx

__all__ = ['client']


@pytest.fixture(scope='session')
def client(app):
    app_client = app.test_client()
    yield CeodTestClient(app_client)


class CeodTestClient:
    def __init__(self, app_client: FlaskClient):
        self.client = app_client
        self.syscom_principal = 'ctdalek'
        # this is only used for the HTTPSNEGOAuth
        self.base_url = f'http://{socket.getfqdn()}'
        # for SPNEGO
        self.target_name = gssapi.Name('ceod/' + socket.getfqdn())

    def get_auth(self, principal):
        """Acquire a HTTPSPNEGOAuth instance for the principal."""
        name = gssapi.Name(principal)
        # the 'store' arg doesn't seem to work for DIR ccaches
        creds = gssapi.Credentials(name=name, usage='initiate')
        auth = HTTPSPNEGOAuth(
            opportunistic_auth=True,
            target_name=self.target_name,
            creds=creds,
        )
        return auth

    def get_headers(self, principal: str, need_cred: bool):
        with krb5ccname_ctx(principal):
            # Get the Authorization header (SPNEGO).
            # The method doesn't matter here because we just need to extract
            # the header using req.prepare().
            req = Request('GET', self.base_url, auth=self.get_auth(principal))
            headers = list(req.prepare().headers.items())
            if need_cred:
                # Get the X-KRB5-CRED header (forwarded TGT).
                cred = b64encode(get_fwd_tgt('ceod/' + socket.getfqdn())).decode()
                headers.append(('X-KRB5-CRED', cred))
        return headers

    def request(self, method: str, path: str, principal: str, need_cred: bool, **kwargs):
        # Make sure that we're not already in a request context, otherwise
        # g will get overridden
        with pytest.raises(RuntimeError):
            '' in g
        if principal is None:
            principal = self.syscom_principal
        headers = self.get_headers(principal, need_cred)
        resp = self.client.open(path, method=method, headers=headers, **kwargs)
        status = int(resp.status.split(' ', 1)[0])
        if resp.headers['content-type'] == 'application/json':
            data = json.loads(resp.data)
        else:
            data = [json.loads(line) for line in resp.data.splitlines()]
        return status, data

    def get(self, path, principal=None, need_cred=True, **kwargs):
        return self.request('GET', path, principal, need_cred, **kwargs)

    def post(self, path, principal=None, need_cred=True, **kwargs):
        return self.request('POST', path, principal, need_cred, **kwargs)

    def patch(self, path, principal=None, need_cred=True, **kwargs):
        return self.request('PATCH', path, principal, need_cred, **kwargs)

    def delete(self, path, principal=None, need_cred=True, **kwargs):
        return self.request('DELETE', path, principal, need_cred, **kwargs)
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`from base64 import b64encode`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`import json`
			`import socket`

add tests for Mailman API 2021-08-19 12:14:41 -04:00			`from flask import g`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`from flask.testing import FlaskClient`
			`import gssapi`
			`import pytest`
			`from requests import Request`
			`from requests_gssapi import HTTPSPNEGOAuth`

add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`from ceo_common.krb5.utils import get_fwd_tgt`
add unit tests for members CLI 2021-08-23 19:01:24 -04:00			`from .utils import krb5ccname_ctx`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00
			`__all__ = ['client']`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00

			`@pytest.fixture(scope='session')`
			`def client(app):`
			`app_client = app.test_client()`
add unit tests for members CLI 2021-08-23 19:01:24 -04:00			`yield CeodTestClient(app_client)`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00

			`class CeodTestClient:`
add unit tests for members CLI 2021-08-23 19:01:24 -04:00			`def __init__(self, app_client: FlaskClient):`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`self.client = app_client`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`self.syscom_principal = 'ctdalek'`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`# this is only used for the HTTPSNEGOAuth`
			`self.base_url = f'http://{socket.getfqdn()}'`
use our own SPNEGO implementation 2021-08-21 02:27:33 -04:00			`# for SPNEGO`
			`self.target_name = gssapi.Name('ceod/' + socket.getfqdn())`
add simple authz tests 2021-08-19 16:33:44 -04:00
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`def get_auth(self, principal):`
add simple authz tests 2021-08-19 16:33:44 -04:00			`"""Acquire a HTTPSPNEGOAuth instance for the principal."""`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`name = gssapi.Name(principal)`
add simple authz tests 2021-08-19 16:33:44 -04:00			`# the 'store' arg doesn't seem to work for DIR ccaches`
add unit tests for members CLI 2021-08-23 19:01:24 -04:00			`creds = gssapi.Credentials(name=name, usage='initiate')`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`auth = HTTPSPNEGOAuth(`
			`opportunistic_auth=True,`
use our own SPNEGO implementation 2021-08-21 02:27:33 -04:00			`target_name=self.target_name,`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`creds=creds,`
			`)`
			`return auth`

add members CLI 2021-08-23 09:59:01 -04:00			`def get_headers(self, principal: str, need_cred: bool):`
add unit tests for members CLI 2021-08-23 19:01:24 -04:00			`with krb5ccname_ctx(principal):`
			`# Get the Authorization header (SPNEGO).`
			`# The method doesn't matter here because we just need to extract`
			`# the header using req.prepare().`
			`req = Request('GET', self.base_url, auth=self.get_auth(principal))`
			`headers = list(req.prepare().headers.items())`
			`if need_cred:`
			`# Get the X-KRB5-CRED header (forwarded TGT).`
			`cred = b64encode(get_fwd_tgt('ceod/' + socket.getfqdn())).decode()`
			`headers.append(('X-KRB5-CRED', cred))`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`return headers`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00
add members CLI 2021-08-23 09:59:01 -04:00			`def request(self, method: str, path: str, principal: str, need_cred: bool, **kwargs):`
add tests for Mailman API 2021-08-19 12:14:41 -04:00			`# Make sure that we're not already in a request context, otherwise`
			`# g will get overridden`
			`with pytest.raises(RuntimeError):`
			`'' in g`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`if principal is None:`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`principal = self.syscom_principal`
add members CLI 2021-08-23 09:59:01 -04:00			`headers = self.get_headers(principal, need_cred)`
add test for API request without KRB-CRED 2021-08-19 19:53:13 -04:00			`resp = self.client.open(path, method=method, headers=headers, **kwargs)`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`status = int(resp.status.split(' ', 1)[0])`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`if resp.headers['content-type'] == 'application/json':`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`data = json.loads(resp.data)`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00			`else:`
			`data = [json.loads(line) for line in resp.data.splitlines()]`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00			`return status, data`

add members CLI 2021-08-23 09:59:01 -04:00			`def get(self, path, principal=None, need_cred=True, **kwargs):`
			`return self.request('GET', path, principal, need_cred, **kwargs)`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00
add members CLI 2021-08-23 09:59:01 -04:00			`def post(self, path, principal=None, need_cred=True, **kwargs):`
			`return self.request('POST', path, principal, need_cred, **kwargs)`
move all tests to top-level folder 2021-08-13 20:11:56 -04:00
add members CLI 2021-08-23 09:59:01 -04:00			`def patch(self, path, principal=None, need_cred=True, **kwargs):`
			`return self.request('PATCH', path, principal, need_cred, **kwargs)`
add Kerberos delegation (#5) This PR adds unconstrained Kerberos delegation to the API. The client obtains a forwarded TGT and sends it, base64-encoded, in an HTTP header named 'X-KRB5-CRED'. The server reads this credential, creates a new credentials cache for the user, and stores the credential into the new cache. The server can now authenticate to other services (e.g. LDAP) over GSSAPI using the forwarded client's credentials. Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/5 Co-authored-by: Max Erenberg <merenber@localhost> Co-committed-by: Max Erenberg <merenber@localhost> 2021-08-18 15:39:14 -04:00
add members CLI 2021-08-23 09:59:01 -04:00			`def delete(self, path, principal=None, need_cred=True, **kwargs):`
			`return self.request('DELETE', path, principal, need_cred, **kwargs)`