http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens

i am been way over my head here and don't know that much about stuff
really but i  would like to know how i can specify a handler for
cherrypy.error

gert@gert:~/Desktop$ python2.5 aut.py
No handlers could be found for logger "cherrypy.error"
...
----------------------------------------------------------------------
Ran 3 tests in 0.011s

OK
gert@gert:~/Desktop$

also why do i have to remove

self.assertBody("Hello test, you've been authorized.")

in the digit test else i get

gert@gert:~/Desktop$ python2.5 aut.py
No handlers could be found for logger "cherrypy.error"
.
    ERROR: expected body:
"Hello test, you've been authorized."

actual body:
"Hello None, you've been authorized."
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  X
gert@gert:~/Desktop$


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens

i made my own test, and i think i understand what is going on.
cherrypy.request.login is broken :) So there is no way i can find out
who is actually loged in ?

Ps Is this is the most secure way without ssl to login ?

import cherrypy

class Root:
    @cherrypy.expose
    def index(self):
        return "This is public."

    @cherrypy.expose
    def secure(self):
        return "Hello %s, you've been authorized." %
cherrypy.request.login

if  __name__ == "__main__":

    conf = {'/secure': {'tools.digest_auth.on': True,
                        'tools.digest_auth.realm': 'localhost',
                        'tools.digest_auth.users': {'test': 'test'}}}

    cherrypy.quickstart(Root(), config=conf)


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

Sylvain Hellegouarch
In reply to this post by gert cuykens

gert wrote:

> i am been way over my head here and don't know that much about stuff
> really but i  would like to know how i can specify a handler for
> cherrypy.error
>
> gert@gert:~/Desktop$ python2.5 aut.py
> No handlers could be found for logger "cherrypy.error"
> ...
> ----------------------------------------------------------------------
> Ran 3 tests in 0.011s
>
> OK
> gert@gert:~/Desktop$
>
> also why do i have to remove
>
> self.assertBody("Hello test, you've been authorized.")
>
> in the digit test else i get
>
> gert@gert:~/Desktop$ python2.5 aut.py
> No handlers could be found for logger "cherrypy.error"
> .
>     ERROR: expected body:
> "Hello test, you've been authorized."
>
> actual body:
> "Hello None, you've been authorized."
>     Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
> sys.e[X]it >>  X
> gert@gert:~/Desktop$
>

Hi,

Could you actually explain what you are doing because I'm a bit lost
here. Is the test_httpauth.py not working on your machine? If so which
revision of CP are you running?

If not could you copy your code?

Thanks,
- Sylvain

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

Sylvain Hellegouarch
In reply to this post by gert cuykens

gert wrote:
> i made my own test, and i think i understand what is going on.
> cherrypy.request.login is broken :) So there is no way i can find out
> who is actually loged in ?
>

How?

> Ps Is this is the most secure way without ssl to login ?
>
> import cherrypy
>
> class Root:
>     @cherrypy.expose
>     def index(self):
>         return "This is public."
>
>     @cherrypy.expose
>     def secure(self):
>         return "Hello %s, you've been authorized." %
> cherrypy.request.login
>
> if  __name__ == "__main__":
>
>     conf = {'/secure': {'tools.digest_auth.on': True,
>                         'tools.digest_auth.realm': 'localhost',
>                         'tools.digest_auth.users': {'test': 'test'}}}
>
>     cherrypy.quickstart(Root(), config=conf)
>

If you want to use a non-session based type of authentication it is
probably one of the safest without SSL.

- Sylvain

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens
In reply to this post by Sylvain Hellegouarch

On Mar 5, 7:47 pm, Sylvain Hellegouarch <[hidden email]> wrote:

> gert wrote:
> > i am been way over my head here and don't know that much about stuff
> > really but i  would like to know how i can specify a handler for
> > cherrypy.error
>
> > gert@gert:~/Desktop$ python2.5 aut.py
> > No handlers could be found for logger "cherrypy.error"
> > ...
> > ----------------------------------------------------------------------
> > Ran 3 tests in 0.011s
>
> > OK
> > gert@gert:~/Desktop$
>
> > also why do i have to remove
>
> > self.assertBody("Hello test, you've been authorized.")
>
> > in the digit test else i get
>
> > gert@gert:~/Desktop$ python2.5 aut.py
> > No handlers could be found for logger "cherrypy.error"
> > .
> >     ERROR: expected body:
> > "Hello test, you've been authorized."
>
> > actual body:
> > "Hello None, you've been authorized."
> >     Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
> > sys.e[X]it >>  X
> > gert@gert:~/Desktop$
>
> Hi,
>
> Could you actually explain what you are doing because I'm a bit lost
> here. Is the test_httpauth.py not working on your machine? If so which
> revision of CP are you running?
>
> If not could you copy your code?
>
> Thanks,
> - Sylvain

#name = "CherryPy"
#version = "3.0.0"

import md5
import cherrypy
from cherrypy.lib  import httpauth
from cherrypy.test import test
from cherrypy.test import helper
test.prefer_parent_path()

def setup_server():
  class Root:
      def index(self):
          return "This is public."
      index.exposed = True

  class DigestProtected:
      def index(self):
############ % cherrypy.request.login doesnt work
################
          return "Hello test, you've been authorized."
##################################################################
      index.exposed = True

  class BasicProtected:
      def index(self):
          return "Hello %s, you've been authorized." %
cherrypy.request.login
      index.exposed = True

  conf = {'/digest': {'tools.digest_auth.on': True,
                      'tools.digest_auth.realm': 'localhost',
                      'tools.digest_auth.users': {'test': 'test'}},
          '/basic':  {'tools.basic_auth.on': True,
                      'tools.basic_auth.realm': 'localhost',
                      'tools.basic_auth.users': {'test':
md5.new('test').hexdigest()}}}
  root = Root()
  root.digest = DigestProtected()
  root.basic = BasicProtected()
  cherrypy.tree.mount(root, config=conf)
  cherrypy.config.update({'environment': 'test_suite'})

class HTTPAuthTest(helper.CPWebCase):

    def testPublic(self):
        self.getPage("/")
        self.assertStatus('200 OK')
        self.assertHeader('Content-Type', 'text/html')
        self.assertBody('This is public.')

    def testBasic(self):
        self.getPage("/basic/")
        self.assertStatus('401 Unauthorized')
        self.assertHeader('WWW-Authenticate', 'Basic
realm="localhost"')

        self.getPage('/basic/', [('Authorization', 'Basic
dGVzdDp0ZX60')])
        self.assertStatus('401 Unauthorized')

        self.getPage('/basic/', [('Authorization', 'Basic
dGVzdDp0ZXN0')])
        self.assertStatus('200 OK')
        self.assertBody("Hello test, you've been authorized.")

    def testDigest(self):
        self.getPage("/digest/")
        self.assertStatus('401 Unauthorized')

        value = None
        for k, v in self.headers:
            if  k.lower() == "www-authenticate":
                if  v.startswith("Digest"):
                    value = v
                    break

        if value is None:
            self._handlewebError("Digest authentification scheme was
not found")

        value = value[7:]
        items = value.split(', ')
        tokens = {}
        for item in items:
            key, value = item.split('=')
            tokens[key.lower()] = value

        missing_msg = "%s is missing"
        bad_value_msg = "'%s' was expecting '%s' but found '%s'"
        nonce = None
        if 'realm' not in tokens:
            self._handlewebError(missing_msg % 'realm')
        elif tokens['realm'] != '"localhost"':
            self._handlewebError(bad_value_msg % ('realm',
'"localhost"', tokens['realm']))
        if 'nonce' not in tokens:
            self._handlewebError(missing_msg % 'nonce')
        else:
            nonce = tokens['nonce'].strip('"')
        if 'algorithm' not in tokens:
            self._handlewebError(missing_msg % 'algorithm')
        elif tokens['algorithm'] != '"MD5"':
            self._handlewebError(bad_value_msg % ('algorithm',
'"MD5"', tokens['algorithm']))
        if 'qop' not in tokens:
            self._handlewebError(missing_msg % 'qop')
        elif tokens['qop'] != '"auth"':
            self._handlewebError(bad_value_msg % ('qop', '"auth"',
tokens['qop']))

        base_auth ='Digest username="test", realm="localhost",
nonce="%s", uri="/digest/", algorithm=MD5, response="%s", qop=auth, nc=
%s, cnonce="1522e61005789929"'
        auth = base_auth % (nonce, '', '00000001')
        params = httpauth.parseAuthorization(auth)
        response = httpauth._computeDigestResponse(params, 'test')
        auth = base_auth % (nonce, response, '00000001')
        self.getPage('/digest/', [('Authorization', auth)])
        self.assertStatus('200 OK')
        self.assertBody("Hello test, you've been authorized.")

if  __name__ == "__main__":
    setup_server()
    helper.testmain()


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens
In reply to this post by Sylvain Hellegouarch



On Mar 5, 7:48 pm, Sylvain Hellegouarch <[hidden email]> wrote:

> gert wrote:
> > i made my own test, and i think i understand what is going on.
> > cherrypy.request.login is broken :) So there is no way i can find out
> > who is actually loged in ?
>
> How?
>
>
>
> > Ps Is this is the most secure way without ssl to login ?
>
> > import cherrypy
>
> > class Root:
> >     @cherrypy.expose
> >     def index(self):
> >         return "This is public."
>
> >     @cherrypy.expose
> >     def secure(self):
> >         return "Hello %s, you've been authorized." %
> > cherrypy.request.login
>
> > if  __name__ == "__main__":
>
> >     conf = {'/secure': {'tools.digest_auth.on': True,
> >                         'tools.digest_auth.realm': 'localhost',
> >                         'tools.digest_auth.users': {'test': 'test'}}}
>
> >     cherrypy.quickstart(Root(), config=conf)
>
> If you want to use a non-session based type of authentication it is
> probably one of the safest without SSL.
>
> - Sylvain

But even if i do use a session based login the password is posted in
plain text to the server right ?

That doesnt happen with the digest authentication if i am not
mistaken.

Can i change 'tools.digest_auth.algorithm' to sha1 or does most
browser only work with md5 ?


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

Sylvain Hellegouarch
In reply to this post by gert cuykens


>
> #name = "CherryPy"
> #version = "3.0.0"
>

Right this doesn't help me much :)
I would like to know which version of CP you are running and its
revision if you got it from subversion.

Then I'd like the traceback of the exception during the run.

- Sylvain

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

Sylvain Hellegouarch
In reply to this post by gert cuykens


>
> Can i change 'tools.digest_auth.algorithm' to sha1 or does most
> browser only work with md5 ?
>
>

You're being paranoid I think ;). Just because md5 has been hacked does
not mean it should be disregarded in every context. Anyhow AFAIK RFC
2617 only describes the algorithm using MD5 and I don't think any
implementations out there accepts SHA.

- Sylvain

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens
In reply to this post by Sylvain Hellegouarch

On Mar 5, 8:16 pm, Sylvain Hellegouarch <[hidden email]> wrote:

> > #name = "CherryPy"
> > #version = "3.0.0"
>
> Right this doesn't help me much :)
> I would like to know which version of CP you are running and its
> revision if you got it from subversion.
>
> Then I'd like the traceback of the exception during the run.
>
> - Sylvain

lol i am sorry :)

I didnt download the svn version i just run the stable version i
downloaded from the main side, i looked in the setup.py and saw 3.0.0
mentioned.

I i think i found out how the traceback works :)

gert@gert:~/Desktop$ python2.5 aut.py
No handlers could be found for logger "cherrypy.error"
...
----------------------------------------------------------------------
Ran 3 tests in 0.011s

OK
gert@gert:~/Desktop$ python2.5 aut.py
No handlers could be found for logger "cherrypy.error"
.
    ERROR: expected body:
"Hello test, you've been authorized."

actual body:
"Hello None, you've been authorized."
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  B
Hello None, you've been authorized.
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  H
[('Date', 'Mon, 05 Mar 2007 19:25:56 GMT'),
 ('Content-Length', '35'),
 ('Content-Type', 'text/html'),
 ('Server', 'CherryPy/3.0.0')]
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  S
200 OK
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  U
/digest/
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  I
..
----------------------------------------------------------------------
Ran 3 tests in 31.687s

OK
gert@gert:~/Desktop$ python2.5 aut.py
No handlers could be found for logger "cherrypy.error"
.
    ERROR: expected body:
"Hello test, you've been authorized."

actual body:
"Hello None, you've been authorized."
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  B
Hello None, you've been authorized.
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  H
[('Date', 'Mon, 05 Mar 2007 19:26:36 GMT'),
 ('Content-Length', '35'),
 ('Content-Type', 'text/html'),
 ('Server', 'CherryPy/3.0.0')]
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  S
200 OK
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  U
/digest/
    Show: [B]ody [H]eaders [S]tatus [U]RL; [I]gnore, [R]aise, or
sys.e[X]it >>  R
F.
======================================================================
FAIL: testDigest (__main__.HTTPAuthTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python2.5/site-packages/cherrypy/test/webtest.py",
line 269, in __call__
    testMethod()
  File "aut.py", line 104, in testDigest
    self.assertBody("Hello test, you've been authorized.")
  File "/usr/lib/python2.5/site-packages/cherrypy/test/webtest.py",
line 385, in assertBody
    self._handlewebError(msg)
  File "/usr/lib/python2.5/site-packages/cherrypy/test/webtest.py",
line 244, in _handlewebError
    raise self.failureException(msg)
AssertionError: expected body:
"Hello test, you've been authorized."

actual body:
"Hello None, you've been authorized."

----------------------------------------------------------------------
Ran 3 tests in 13.685s

FAILED (failures=1)
gert@gert:~/Desktop$


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

Sylvain Hellegouarch

gert wrote:

> On Mar 5, 8:16 pm, Sylvain Hellegouarch <[hidden email]> wrote:
>>> #name = "CherryPy"
>>> #version = "3.0.0"
>> Right this doesn't help me much :)
>> I would like to know which version of CP you are running and its
>> revision if you got it from subversion.
>>
>> Then I'd like the traceback of the exception during the run.
>>
>> - Sylvain
>
> lol i am sorry :)
>
> I didnt download the svn version i just run the stable version i
> downloaded from the main side, i looked in the setup.py and saw 3.0.0
> mentioned.
>
> I i think i found out how the traceback works :)

eh eh... everyday has its achievement :)
I won't have the time to look at that now so could you open a ticket on
Trac? (guest/cherrypy to login)

Thanks,
- Sylvain

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens
In reply to this post by Sylvain Hellegouarch

On Mar 5, 8:19 pm, Sylvain Hellegouarch <[hidden email]> wrote:
> > Can i change 'tools.digest_auth.algorithm' to sha1 or does most
> > browser only work with md5 ?
>
> You're being paranoid I think ;). Just because md5 has been hacked does
> not mean it should be disregarded in every context. Anyhow AFAIK RFC
> 2617 only describes the algorithm using MD5 and I don't think any
> implementations out there accepts SHA.
>
> - Sylvain

Paranoid i like that word they also say that to me if i tell people
WEP key is not save. Usewely when people hack there own router reading
the 10 minutes WEP key howto they have the tendency to agree it maybe
not a good idea to use a WEP key after all :) But then again if
somebody can break my MD5 login they also can find a way to get inside
when i use SHA1 by going to my trash or something finding clues to the
password lol,... i know need to watch less tv.

PS do you remember the time when you could just get inside someones
hotmail account by giving them a email where there was a nice little
link to your website asking them to just click on it so you could see
in the www stats the url with there sessionid :)


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens
In reply to this post by Sylvain Hellegouarch

Ticket #669


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: http://www.cherrypy.org/browser/trunk/cherrypy/test/test_httpauth.py

gert cuykens

i just found out it works in 3.0.1 :)


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "cherrypy-devel" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to [hidden email]
For more options, visit this group at http://groups.google.com/group/cherrypy-devel
-~----------~----~----~----~------~----~------~--~---