[CalendarServer-changes] [7296] CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav /directory
source_changes at macosforge.org
source_changes at macosforge.org
Thu Apr 7 12:05:50 PDT 2011
Revision: 7296
http://trac.macosforge.org/projects/calendarserver/changeset/7296
Author: cdaboo at apple.com
Date: 2011-04-07 12:05:49 -0700 (Thu, 07 Apr 2011)
Log Message:
-----------
Remove client-ip check from digest auth as per r6801.
Revision Links:
--------------
http://trac.macosforge.org/projects/calendarserver/changeset/6801
Modified Paths:
--------------
CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/digest.py
CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/test/test_digest.py
Modified: CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/digest.py
===================================================================
--- CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/digest.py 2011-04-07 18:30:26 UTC (rev 7295)
+++ CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/digest.py 2011-04-07 19:05:49 UTC (rev 7296)
@@ -1,5 +1,5 @@
##
-# Copyright (c) 2006-2007 Apple Inc. All rights reserved.
+# Copyright (c) 2006-2011 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -162,8 +162,8 @@
if result:
raise AssertionError("nonce value already cached in credentials database: %s" % (c,))
- # The database record is a tuple of (client ip, nonce-count, timestamp)
- yield self.db.set(c, (peer.host, 0, time.time()))
+ # The database record is a tuple of (nonce-count, timestamp)
+ yield self.db.set(c, (0, time.time()))
challenge = {
'nonce': c,
@@ -262,20 +262,14 @@
"""
nonce = auth.get('nonce')
- clientip = request.remoteAddr.host
nonce_count = auth.get('nc')
# First check we have this nonce
result = (yield self.db.get(nonce))
if result is None:
raise error.LoginFailed('Invalid nonce value: %s' % (nonce,))
- db_clientip, db_nonce_count, db_timestamp = result
+ db_nonce_count, db_timestamp = result
- # Next check client ip
- if db_clientip != clientip:
- yield self._invalidate(nonce)
- raise error.LoginFailed('Client IPs do not match: %s and %s' % (clientip, db_clientip,))
-
# cnonce and nonce-count MUST be present if qop is present
if auth.get('qop') is not None:
if auth.get('cnonce') is None:
@@ -294,7 +288,7 @@
if nonce_count != db_nonce_count + 1:
yield self._invalidate(nonce)
raise error.LoginFailed('nonce-count value out of sequence: %s should be one more than %s' % (nonce_count, db_nonce_count,))
- yield self.db.set(nonce, (db_clientip, nonce_count, db_timestamp))
+ yield self.db.set(nonce, (nonce_count, db_timestamp))
else:
# When not using qop the stored nonce-count must always be zero.
# i.e. we can't allow a qop auth then a non-qop auth with the same nonce
Modified: CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/test/test_digest.py
===================================================================
--- CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/test/test_digest.py 2011-04-07 18:30:26 UTC (rev 7295)
+++ CalendarServer/branches/release/CalendarServer-2.5-dev/twistedcaldav/directory/test/test_digest.py 2011-04-07 19:05:49 UTC (rev 7296)
@@ -1,5 +1,5 @@
##
-# Copyright (c) 2005-2007 Apple Inc. All rights reserved.
+# Copyright (c) 2005-2011 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -440,41 +440,6 @@
response.headers.getHeader("www-authenticate")[0][1]
@inlineCallbacks
- def test_incompatibleClientIp(self):
- """
- Test that the login fails when the request comes from a client ip
- other than what is encoded in the opaque.
- """
-
- credentialFactories = (
- FakeDigestCredentialFactory('md5', 'auth', 'test realm', self.namespace1),
- FakeDigestCredentialFactory('md5', '', 'test realm', self.namespace2)
- )
-
- for ctr, factory in enumerate(credentialFactories):
- challenge = (yield factory.getChallenge(address.IPv4Address('TCP', '127.0.0.2', 80)))
-
- clientResponse = authRequest1[ctr] % (
- challenge['nonce'],
- self.getDigestResponse(challenge, "00000001"),
- )
-
- request = _trivial_GET()
- yield self.assertRaisesDeferred(
- error.LoginFailed,
- factory.decode,
- clientResponse,
- request
- )
-
- response = (yield UnauthorizedResponse.makeResponse(
- {"Digest":factory},
- request.remoteAddr,
- ))
- wwwhdrs = response.headers.getHeader("www-authenticate")[0][1]
- self.assertTrue('stale' not in wwwhdrs, msg="Stale parameter in Digest WWW-Authenticate headers: %s" % (wwwhdrs,))
-
- @inlineCallbacks
def test_oldNonce(self):
"""
Test that the login fails when the given opaque is older than
@@ -488,8 +453,8 @@
for ctr, factory in enumerate(credentialFactories):
challenge = (yield factory.getChallenge(clientAddress))
- clientip, nonce_count, timestamp = (yield factory.db.get(challenge['nonce']))
- factory.db.set(challenge['nonce'], (clientip, nonce_count, timestamp - 2 * digest.DigestCredentialFactory.CHALLENGE_LIFETIME_SECS))
+ nonce_count, timestamp = (yield factory.db.get(challenge['nonce']))
+ factory.db.set(challenge['nonce'], (nonce_count, timestamp - 2 * digest.DigestCredentialFactory.CHALLENGE_LIFETIME_SECS))
clientResponse = authRequest1[ctr] % (
challenge['nonce'],
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20110407/113c6c4a/attachment.html>
More information about the calendarserver-changes
mailing list