2022-08-14 18:36:49 +08:00
|
|
|
import requests
|
|
|
|
|
import pyotp
|
2022-11-12 00:00:12 +08:00
|
|
|
from base64 import b64decode
|
|
|
|
|
from uuid import uuid4
|
2022-08-14 18:36:49 +08:00
|
|
|
|
2022-11-12 00:00:12 +08:00
|
|
|
from .api_client import (
|
|
|
|
|
api_admin_session,
|
|
|
|
|
api_create_target,
|
|
|
|
|
api_create_user,
|
|
|
|
|
api_create_role,
|
|
|
|
|
api_add_role_to_user,
|
|
|
|
|
api_add_role_to_target,
|
|
|
|
|
)
|
|
|
|
|
from .conftest import WarpgateProcess
|
|
|
|
|
from .test_http_common import * # noqa
|
2022-08-14 18:36:49 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class TestHTTPUserAuthOTP:
|
|
|
|
|
def test_auth_otp_success(
|
|
|
|
|
self,
|
|
|
|
|
otp_key_base32,
|
2022-11-12 00:00:12 +08:00
|
|
|
otp_key_base64,
|
|
|
|
|
echo_server_port,
|
|
|
|
|
shared_wg: WarpgateProcess,
|
2022-08-14 18:36:49 +08:00
|
|
|
):
|
2022-11-12 00:00:12 +08:00
|
|
|
url = f"https://localhost:{shared_wg.http_port}"
|
|
|
|
|
with api_admin_session(url) as session:
|
|
|
|
|
role = api_create_role(url, session, {"name": f"role-{uuid4()}"})
|
|
|
|
|
user = api_create_user(
|
|
|
|
|
url,
|
|
|
|
|
session,
|
|
|
|
|
{
|
|
|
|
|
"username": f"user-{uuid4()}",
|
|
|
|
|
"credentials": [
|
|
|
|
|
{
|
|
|
|
|
"kind": "Password",
|
|
|
|
|
"hash": "123",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"kind": "Totp",
|
|
|
|
|
"key": list(b64decode(otp_key_base64)),
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
"credential_policy": {
|
|
|
|
|
"http": ["Password", "Totp"],
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
api_add_role_to_user(url, session, user["id"], role["id"])
|
|
|
|
|
echo_target = api_create_target(
|
|
|
|
|
url,
|
|
|
|
|
session,
|
|
|
|
|
{
|
|
|
|
|
"name": f"echo-{uuid4()}",
|
|
|
|
|
"options": {
|
|
|
|
|
"kind": "Http",
|
|
|
|
|
"url": f"http://localhost:{echo_server_port}",
|
|
|
|
|
"tls": {
|
|
|
|
|
"mode": "Disabled",
|
|
|
|
|
"verify": False,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
api_add_role_to_target(url, session, echo_target["id"], role["id"])
|
|
|
|
|
|
2022-08-14 18:36:49 +08:00
|
|
|
session = requests.Session()
|
|
|
|
|
session.verify = False
|
|
|
|
|
|
|
|
|
|
totp = pyotp.TOTP(otp_key_base32)
|
|
|
|
|
|
|
|
|
|
response = session.post(
|
2022-11-12 00:00:12 +08:00
|
|
|
f"{url}/@warpgate/api/auth/login",
|
2022-08-14 18:36:49 +08:00
|
|
|
json={
|
2022-11-12 00:00:12 +08:00
|
|
|
"username": user["username"],
|
|
|
|
|
"password": "123",
|
2022-08-14 18:36:49 +08:00
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code // 100 != 2
|
|
|
|
|
|
|
|
|
|
response = session.get(
|
2022-11-12 00:00:12 +08:00
|
|
|
f"{url}/some/path?a=b&warpgate-target={echo_target['name']}&c=d",
|
|
|
|
|
allow_redirects=False,
|
2022-08-14 18:36:49 +08:00
|
|
|
)
|
|
|
|
|
assert response.status_code // 100 != 2
|
|
|
|
|
|
|
|
|
|
response = session.post(
|
2022-11-12 00:00:12 +08:00
|
|
|
f"{url}/@warpgate/api/auth/otp",
|
2022-08-14 18:36:49 +08:00
|
|
|
json={
|
2022-11-12 00:00:12 +08:00
|
|
|
"otp": totp.now(),
|
2022-08-14 18:36:49 +08:00
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code // 100 == 2
|
|
|
|
|
|
|
|
|
|
response = session.get(
|
2022-11-12 00:00:12 +08:00
|
|
|
f"{url}/some/path?a=b&warpgate-target={echo_target['name']}&c=d",
|
|
|
|
|
allow_redirects=False,
|
2022-08-14 18:36:49 +08:00
|
|
|
)
|
|
|
|
|
assert response.status_code // 100 == 2
|
2022-11-12 00:00:12 +08:00
|
|
|
assert response.json()["path"] == "/some/path"
|
2022-08-14 18:36:49 +08:00
|
|
|
|
|
|
|
|
def test_auth_otp_fail(
|
|
|
|
|
self,
|
2022-11-12 00:00:12 +08:00
|
|
|
otp_key_base64,
|
|
|
|
|
echo_server_port,
|
|
|
|
|
shared_wg: WarpgateProcess,
|
2022-08-14 18:36:49 +08:00
|
|
|
):
|
2022-11-12 00:00:12 +08:00
|
|
|
url = f"https://localhost:{shared_wg.http_port}"
|
|
|
|
|
with api_admin_session(url) as session:
|
|
|
|
|
role = api_create_role(url, session, {"name": f"role-{uuid4()}"})
|
|
|
|
|
user = api_create_user(
|
|
|
|
|
url,
|
|
|
|
|
session,
|
|
|
|
|
{
|
|
|
|
|
"username": f"user-{uuid4()}",
|
|
|
|
|
"credentials": [
|
|
|
|
|
{
|
|
|
|
|
"kind": "Password",
|
|
|
|
|
"hash": "123",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"kind": "Totp",
|
|
|
|
|
"key": list(b64decode(otp_key_base64)),
|
|
|
|
|
},
|
|
|
|
|
],
|
|
|
|
|
"credential_policy": {
|
|
|
|
|
"http": ["PublicKey", "Totp"],
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
api_add_role_to_user(url, session, user["id"], role["id"])
|
|
|
|
|
echo_target = api_create_target(
|
|
|
|
|
url,
|
|
|
|
|
session,
|
|
|
|
|
{
|
|
|
|
|
"name": f"echo-{uuid4()}",
|
|
|
|
|
"options": {
|
|
|
|
|
"kind": "Http",
|
|
|
|
|
"url": f"http://localhost:{echo_server_port}",
|
|
|
|
|
"tls": {
|
|
|
|
|
"mode": "Disabled",
|
|
|
|
|
"verify": False,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
api_add_role_to_target(url, session, echo_target["id"], role["id"])
|
|
|
|
|
|
2022-08-14 18:36:49 +08:00
|
|
|
session = requests.Session()
|
|
|
|
|
session.verify = False
|
|
|
|
|
|
|
|
|
|
response = session.post(
|
2022-11-12 00:00:12 +08:00
|
|
|
f"{url}/@warpgate/api/auth/login",
|
2022-08-14 18:36:49 +08:00
|
|
|
json={
|
2022-11-12 00:00:12 +08:00
|
|
|
"username": user["username"],
|
|
|
|
|
"password": "123",
|
2022-08-14 18:36:49 +08:00
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code // 100 != 2
|
|
|
|
|
|
|
|
|
|
response = session.post(
|
2022-11-12 00:00:12 +08:00
|
|
|
f"{url}/@warpgate/api/auth/otp",
|
2022-08-14 18:36:49 +08:00
|
|
|
json={
|
2022-11-12 00:00:12 +08:00
|
|
|
"otp": "00000000",
|
2022-08-14 18:36:49 +08:00
|
|
|
},
|
|
|
|
|
)
|
|
|
|
|
assert response.status_code // 100 != 2
|
|
|
|
|
|
|
|
|
|
response = session.get(
|
2022-11-12 00:00:12 +08:00
|
|
|
f"{url}/some/path?a=b&warpgate-target={echo_target['name']}&c=d",
|
|
|
|
|
allow_redirects=False,
|
2022-08-14 18:36:49 +08:00
|
|
|
)
|
|
|
|
|
assert response.status_code // 100 != 2
|
