Add test for SASL PLAIN with no authzid.

2025-04-06 07:19:54 +00:00 · 2015-12-24 22:35:15 +01:00
parent 1281901eb3
commit 6e50d100e9
1 changed files with 49 additions and 0 deletions
--- a/irctest/server_tests/test_sasl.py
+++ b/irctest/server_tests/test_sasl.py
@ -37,6 +37,55 @@ class SaslTestCase(cases.BaseServerTestCase, cases.OptionalityHelper):
                fail_msg='900 should contain the account name as 3rd argument '
                '({expects}), not {got}: {msg}')

+    @cases.SpecificationSelector.requiredBySpecification('IRCv3.1')
+    @cases.OptionalityHelper.skipUnlessHasMechanism('PLAIN')
+    def testPlainNoAuthzid(self):
+        """“message   = [authzid] UTF8NUL authcid UTF8NUL passwd
+
+        […]
+
+        Upon receipt of the message, the server will verify the presented (in
+        the message) authentication identity (authcid) and password (passwd)
+        with the system authentication database, and it will verify that the
+        authentication credentials permit the client to act as the (presented
+        or derived) authorization identity (authzid).  If both steps succeed,
+        the user is authenticated.
+
+        […]
+
+
+        When no authorization identity is provided, the server derives an
+        authorization identity from the prepared representation of the
+        provided authentication identity string.  This ensures that the
+        derivation of different representations of the authentication
+        identity produces the same authorization identity.”
+        -- <https://tools.ietf.org/html/rfc4616#section-2>
+        """
+        self.controller.registerUser(self, 'foo', 'sesame')
+        self.controller.registerUser(self, 'jilles', 'sesame')
+        self.controller.registerUser(self, 'bar', 'sesame')
+        self.addClient()
+        self.sendLine(1, 'CAP LS 302')
+        capabilities = self.getCapLs(1)
+        self.assertIn('sasl', capabilities,
+                fail_msg='Does not have SASL as the controller claims.')
+        if capabilities['sasl'] is not None:
+            self.assertIn('PLAIN', capabilities['sasl'],
+                fail_msg='Does not have PLAIN mechanism as the controller '
+                'claims')
+        self.sendLine(1, 'AUTHENTICATE PLAIN')
+        m = self.getMessage(1, filter_pred=lambda m:m.command != 'NOTICE')
+        self.assertMessageEqual(m, command='AUTHENTICATE', params=['+'],
+                fail_msg='Sent “AUTHENTICATE PLAIN”, server should have '
+                'replied with “AUTHENTICATE +”, but instead sent: {msg}')
+        self.sendLine(1, 'AUTHENTICATE AGppbGxlcwBzZXNhbWU=')
+        m = self.getMessage(1, filter_pred=lambda m:m.command != 'NOTICE')
+        self.assertMessageEqual(m, command='900',
+                fail_msg='Did not send 900 after correct SASL authentication.')
+        self.assertEqual(m.params[2], 'jilles', m,
+                fail_msg='900 should contain the account name as 3rd argument '
+                '({expects}), not {got}: {msg}')
+
    @cases.SpecificationSelector.requiredBySpecification('IRCv3.1')
    def testMechanismNotAvailable(self):
        """“If authentication fails, a 904 or 905 numeric will be sent”