From c76718932382e6851e1ad9f004246bde3fc74de8 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Oct 2012 15:45:07 +0200 Subject: starting to write a srp test with python srp lib --- users/test/integration/api/python/flow_with_srp.py | 58 ++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100755 users/test/integration/api/python/flow_with_srp.py (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py new file mode 100755 index 0000000..cb89f6e --- /dev/null +++ b/users/test/integration/api/python/flow_with_srp.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python + +# under development + +import requests +import json +import string +import random +import srp +import binascii + +# let's have some random name +def id_generator(size=6, chars=string.ascii_uppercase + string.digits): + return ''.join(random.choice(chars) for x in range(size)) + +# using globals for a start +server = 'http://localhost:3000' +login = id_generator() +password = id_generator() + id_generator() + +# log the server communication +def print_and_parse(response): + print response.request.method + ': ' + response.url + print " " + json.dumps(response.request.data) + print " -> " + response.text + return json.loads(response.text) + +def signup(session): + salt, vkey = srp.create_salted_verification_key( login, password ) + user_params = { + 'user[login]': login, + 'user[password_verifier]': binascii.hexlify(vkey), + 'user[password_salt]': binascii.hexlify(salt) + } + return session.post(server + '/users.json', data = user_params) + +usr = srp.User( login, password ) + +def authenticate(session, login): + uname, A = usr.start_authentication() + params = { + 'login': uname, + 'A': A + } + init = print_and_parse(session.post(server + '/sessions', data = params)) + M = usr.process_challenge( init['salt'], init['B'] ) + return session.put(server + '/sessions/' + login, data = {'client_auth': M}) + +session = requests.session() +user = print_and_parse(signup(session)) + +# SRP signup would happen here and calculate M hex +auth = print_and_parse(authenticate(session, user['login'])) +usr.verify_session( auth ) + +# At this point the authentication process is complete. +assert usr.authenticated() + -- cgit v1.2.3 From 793f36bb8063017cd8b48f084597f4e64b72d0f4 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Oct 2012 15:52:48 +0200 Subject: use hexlify and unhexlify everywhere needed except the final auth as this is still broken anyway --- users/test/integration/api/python/flow_with_srp.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index cb89f6e..1aad555 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -40,11 +40,12 @@ def authenticate(session, login): uname, A = usr.start_authentication() params = { 'login': uname, - 'A': A + 'A': binascii.hexlify(A) } init = print_and_parse(session.post(server + '/sessions', data = params)) - M = usr.process_challenge( init['salt'], init['B'] ) - return session.put(server + '/sessions/' + login, data = {'client_auth': M}) + M = usr.process_challenge( binascii.unhexlify(init['salt']), binascii.unhexlify(init['B']) ) + return session.put(server + '/sessions/' + login, + data = {'client_auth': binascii.hexlify(M)}) session = requests.session() user = print_and_parse(signup(session)) -- cgit v1.2.3 From 5fe296eb9f9b216e05921ac0c41f5defc1cc2054 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Oct 2012 16:12:50 +0200 Subject: trying to use the same Hash Alg and Prime as webapp - still failing --- users/test/integration/api/python/flow_with_srp.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 1aad555..08ac94a 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -26,7 +26,7 @@ def print_and_parse(response): return json.loads(response.text) def signup(session): - salt, vkey = srp.create_salted_verification_key( login, password ) + salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), @@ -34,7 +34,7 @@ def signup(session): } return session.post(server + '/users.json', data = user_params) -usr = srp.User( login, password ) +usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) def authenticate(session, login): uname, A = usr.start_authentication() -- cgit v1.2.3 From 118d9ab5c9f4d7a82b7cf24774ef12d3c221f8ef Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 5 Oct 2012 13:59:39 +0200 Subject: moving to ruby_srp 0.1.0, works with python srp --- users/test/integration/api/python/flow_with_srp.py | 2 +- users/test/integration/api/python/signup_and_login.py | 10 +++------- 2 files changed, 4 insertions(+), 8 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 08ac94a..ea630f2 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -52,7 +52,7 @@ user = print_and_parse(signup(session)) # SRP signup would happen here and calculate M hex auth = print_and_parse(authenticate(session, user['login'])) -usr.verify_session( auth ) +usr.verify_session( binascii.unhexlify(auth["M2"]) ) # At this point the authentication process is complete. assert usr.authenticated() diff --git a/users/test/integration/api/python/signup_and_login.py b/users/test/integration/api/python/signup_and_login.py index 2d79688..ac611d7 100755 --- a/users/test/integration/api/python/signup_and_login.py +++ b/users/test/integration/api/python/signup_and_login.py @@ -20,14 +20,13 @@ def print_and_parse(response): print response.request.method + ': ' + response.url print " " + json.dumps(response.request.data) print " -> " + response.text - print " () " + json.dumps(requests.utils.dict_from_cookiejar(response.cookies)) return json.loads(response.text) def signup(session): user_params = { 'user[login]': id_generator(), 'user[password_verifier]': '12345', - 'user[password_salt]': '54321' + 'user[password_salt]': 'AB54321' } return session.post(server + '/users.json', data = user_params) @@ -36,11 +35,8 @@ def authenticate(session, login): 'login': login, 'A': '12345', } - init = session.post(server + '/sessions', data = params) - cookies = requests.utils.dict_from_cookiejar(init.cookies) - init = session.post(server + '/sessions', data = params, cookies = cookies) - print "(%) " + json.dumps(cookies) - return session.put(server + '/sessions/' + login, data = {'client_auth': '123'}, cookies = cookies) + init = print_and_parse(session.post(server + '/sessions', data = params)) + return session.put(server + '/sessions/' + login, data = {'client_auth': '123'}) session = requests.session() user = print_and_parse(signup(session)) -- cgit v1.2.3 From e264e7354788c0b7eff7bb296eed9c59304cc8b8 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 5 Oct 2012 16:48:27 +0200 Subject: using safe_unhexlify to workaround 0 padding also changed the debug output so it helps creating tests for ruby-srp --- users/test/integration/api/python/flow_with_srp.py | 29 ++++++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index ea630f2..3bbbc71 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -6,9 +6,11 @@ import requests import json import string import random -import srp +import srp._pysrp as srp import binascii +safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x) + # let's have some random name def id_generator(size=6, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) @@ -18,15 +20,20 @@ server = 'http://localhost:3000' login = id_generator() password = id_generator() + id_generator() +print ' username = "' + login + '"' +print ' password = "' + password + '"' + # log the server communication def print_and_parse(response): - print response.request.method + ': ' + response.url - print " " + json.dumps(response.request.data) + # print response.request.method + ': ' + response.url + # print " " + json.dumps(response.request.data) print " -> " + response.text return json.loads(response.text) def signup(session): salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) + print ' salt = "' + binascii.hexlify(salt) + '"' + print ' v = "' + binascii.hexlify(vkey) + '"' user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), @@ -38,12 +45,16 @@ usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) def authenticate(session, login): uname, A = usr.start_authentication() + print ' aa = "' + binascii.hexlify(A) + '"' params = { 'login': uname, 'A': binascii.hexlify(A) } init = print_and_parse(session.post(server + '/sessions', data = params)) - M = usr.process_challenge( binascii.unhexlify(init['salt']), binascii.unhexlify(init['B']) ) + # print ' b = "' + init['b'] + '"' + print ' bb = "' + init['B'] + '"' + M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) + print ' m = "' + binascii.hexlify(M) + '"' return session.put(server + '/sessions/' + login, data = {'client_auth': binascii.hexlify(M)}) @@ -52,7 +63,15 @@ user = print_and_parse(signup(session)) # SRP signup would happen here and calculate M hex auth = print_and_parse(authenticate(session, user['login'])) -usr.verify_session( binascii.unhexlify(auth["M2"]) ) +if ( 'errors' in auth ): + print ' u = "%x"' % usr.u + print ' x = "%x"' % usr.x + print ' v = "%x"' % usr.v + print ' S = "%x"' % usr.S + print ' K = "' + binascii.hexlify(usr.K) + '"' + print ' M = "%x"' % usr.M +else: + usr.verify_session( safe_unhexlify(auth["M2"]) ) # At this point the authentication process is complete. assert usr.authenticated() -- cgit v1.2.3 From 5267a127ee967b1d89df6033cc9869715e960886 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 6 Oct 2012 19:39:48 +0200 Subject: comment out debugging lines --- users/test/integration/api/python/flow_with_srp.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 3bbbc71..0a11aec 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -16,24 +16,24 @@ def id_generator(size=6, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) # using globals for a start -server = 'http://localhost:3000' +server = 'http://springbok/1/' login = id_generator() password = id_generator() + id_generator() -print ' username = "' + login + '"' -print ' password = "' + password + '"' +# print ' username = "' + login + '"' +# print ' password = "' + password + '"' # log the server communication def print_and_parse(response): # print response.request.method + ': ' + response.url # print " " + json.dumps(response.request.data) - print " -> " + response.text + # print " -> " + response.text return json.loads(response.text) def signup(session): salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) - print ' salt = "' + binascii.hexlify(salt) + '"' - print ' v = "' + binascii.hexlify(vkey) + '"' + # print ' salt = "' + binascii.hexlify(salt) + '"' + # print ' v = "' + binascii.hexlify(vkey) + '"' user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), @@ -45,16 +45,16 @@ usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) def authenticate(session, login): uname, A = usr.start_authentication() - print ' aa = "' + binascii.hexlify(A) + '"' + # print ' aa = "' + binascii.hexlify(A) + '"' params = { 'login': uname, 'A': binascii.hexlify(A) } init = print_and_parse(session.post(server + '/sessions', data = params)) # print ' b = "' + init['b'] + '"' - print ' bb = "' + init['B'] + '"' + # print ' bb = "' + init['B'] + '"' M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) - print ' m = "' + binascii.hexlify(M) + '"' + # print ' m = "' + binascii.hexlify(M) + '"' return session.put(server + '/sessions/' + login, data = {'client_auth': binascii.hexlify(M)}) -- cgit v1.2.3 From 3b4703b6669bb712fd078080d6f3b83af089b19e Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 11 Oct 2012 11:09:36 +0200 Subject: fixed account_flow_test - srp.authenticate now takes a single arg --- users/test/integration/api/account_flow_test.rb | 27 ++++++++++++------------- 1 file changed, 13 insertions(+), 14 deletions(-) (limited to 'users/test/integration/api') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index e20bcf6..66de1e5 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -30,40 +30,39 @@ class AccountFlowTest < ActionDispatch::IntegrationTest :password_verifier => @srp.verifier.to_s(16), :password_salt => @srp.salt.to_s(16) } + post '/users.json', :user => @user_params + @user = User.find_by_param(@login) end def teardown @user.destroy if @user # make sure we can run this test again end - test "signup and login with srp via api" do - post '/users.json', :user => @user_params - @user = User.find_by_param(@login) + test "signup response" do assert_json_response @user_params.slice(:login, :password_salt) assert_response :success - server_auth = @srp.authenticate(self, @login, @password) + end + + test "signup and login with srp via api" do + server_auth = @srp.authenticate(self) assert_nil server_auth["errors"] assert server_auth["M2"] end test "signup and wrong password login attempt" do - post '/users.json', :user => @user_params - @user = User.find_by_param(@login) - assert_json_response @user_params.slice(:login, :password_salt) - assert_response :success - server_auth = @srp.authenticate(self, @login, "wrong password") + srp = SRP::Client.new(@login, "wrong password") + server_auth = srp.authenticate(self) assert_equal ["wrong password"], server_auth["errors"]['password'] assert_nil server_auth["M2"] end test "signup and wrong username login attempt" do - post '/users.json', :user => @user_params - @user = User.find_by_param(@login) - assert_json_response @user_params.slice(:login, :password_salt) - assert_response :success + srp = SRP::Client.new("wrong_login", @password) + server_auth = nil assert_raises RECORD_NOT_FOUND do - server_auth = @srp.authenticate(self, "wronglogin", @password) + server_auth = srp.authenticate(self) end + assert_nil server_auth end end -- cgit v1.2.3