Digest Authentication for ROBOTFRAMEWORK - robotframework

below is the begining of a script for testing a rest interface on a device , this device has a https server with Digest Authentication.
This is where i am encountering a problem below I have it set up I do not get an error so i assume
Set Digest Auth admin secret is valid
if it is what can I not authenticate:
#script
*** Settings ***
Resource variablesreal.txt
Library HttpLibrary.HTTP
Library PycURLLibrary
Library OperatingSystem
Test Setup Create HTTP Context ${HOST} https
*** Variables ***
${HEADER1} Content-Type: text/xml; charset=UTF-8
*** Test Cases ***
Set Digest Auth
Log Variables
Verbose
Add Header ${HEADER1}
Add Header version:1
Next Request Should Not Succeed
GET https://${HOST}/views
Set Digest Auth admin secret
GET https://${HOST}/views
Response Status Code Should Equal 200
Response Body Should Contain views
Log Response Status
Log Response
here is the out put from pybot hls.txt
==============================================================================
Hls
==============================================================================
Set Digest Auth | FAIL |
Request should have succeeded, but was "401 Unauthorized".
------------------------------------------------------------------------------
Hls | FAIL |
1 critical test, 0 passed, 1 failed
1 test total, 0 passed, 1 failed
==============================================================================
Output: /home/robm/code/BDD/pycurl/hl/output.xml
Log: /home/robm/code/BDD/pycurl/hl/log.html
Report: /home/robm/code/BDD/pycurl/hl/report.html
any ideas on Digest authentication?

I ended up adding this to RequestKeywords.py
def create_digest_session(self, alias, url, auth, headers={}, cookies=None, timeout=None, proxies=None, verify=False):
""" Create Session: create a HTTP session to a server
`url` Base url of the server
`alias` Robot Framework alias to identify the session
`headers` Dictionary of default headers
`auth` List of username & password for HTTP Digest Auth
`timeout` connection timeout
`proxies` proxy server url
`verify` set to True if Requests should verify the certificate
"""
digest_auth = requests.auth.HTTPDigestAuth(*auth) if auth else None
return self._create_session_local(alias, url, headers, cookies, digest_auth, timeout, proxies, verify)

Related

REG:Authentication failed for user in Robot framework

I want to use SSHLibrary to connect remote server.
*** Settings ***
Library SSHLibrary
*** Test Cases ***
Connection
${RemoteServer}= openconnection 127.0.0.1 port=2123
login 127.0.0.1 gfi
${username}= Executecommand pwd
But i am getting error as authentication failed
TRACE : Arguments: [ '127.0.0.1' | port=2123 ]
TRACE : Return: 1
INFO : ${RemoteServer} = 1
TRACE : Arguments: [ '127.0.0.1' | 'gfi' | delay='0.5 seconds' ]
INFO : Logging into '127.0.0.1:2123' as '127.0.0.1'.
DEBUG : Adding ssh-ed25519 host key for [127.0.0.1]:2123: 56cde5c5d3a8494218b68ed41b4e837d
FAIL : Authentication failed for user '127.0.0.1'.
DEBUG :
Traceback (most recent call last):
File "c:\python27\lib\site-packages\SSHLibrary\library.py", line 914, in login
is_truthy(look_for_keys), delay, proxy_cmd)
File "c:\python27\lib\site-packages\SSHLibrary\library.py", line 973, in _login
raise RuntimeError(e)
Ending test: Launchvm.Launchvm.Connection
This is first time i am using SSHLibrary .Does it require any preconditions to use SSHLibrary.
Can someone help how to solve authentication failed.
You have to take a look at the arguments for SSHLibrary - Login keyword.
As seen in the documentation Login first argument is username.
However, in your code you give 127.0.0.1 as username.
login 127.0.0.1 gfi
And I assume that is not the username.
You can also see this in the log message, that it try to login 127.0.0.1:2123 as 127.0.0.1.
INFO : Logging into '127.0.0.1:2123' as '127.0.0.1'.
If you update the code and call login keyword with username and password as expected, it should run fine.
login <username> <password>

Robotframework: Request - POST request with JSON body on demo REST site gives 400

The 'dummy.restapiexample.com' site provides a nice demo REST service. Retrieving data is simple in Robotframework via de Request library.
Creating a body with dictionaries works! When I use JSON bodies, I get these errors.
Test 1: POST to reqres.in gives http status: 400
*** Settings ***
Library RequestsLibrary
*** Variables ***
${RestApiB} = https://reqres.in
*** Test Cases ***
Create a new user
Create Session restSession ${RestApiB}
${jsonString} = To Json {"name":"jjxx","job":"devxx"}
${headers} = Create Dictionary Content-Type=application/json
${response} = Post Request restSession /api/users json=${jsonString} headers=${headers}
Should Be Equal As Strings ${response.status_code} 201

Issues getting kerberos/Windows AD login work for a web service

I have been struggling with this for quite a while now, and I can't get it to work.
Here is the setup:
I have a nginx webserver serving a django app at mywebapp.k8s.dal1.mycompany.io
It has the SPNEGO plugin compiled in and I have the following endpoint in my config:
location /ad-login {
uwsgi_pass django;
include /usr/lib/mycompany/lib/wsgi/uwsgi_params;
auth_gss on;
auth_gss_realm BURNERDEV1.DAL1.MYCOMPANY.IO;
auth_gss_service_name HTTP/mywebapp.k8s.dal1.mycompany.io;
auth_gss_allow_basic_fallback off;
}
My AD Domain controller is at burnerdev1.dal1.mycompany.io and I have the following users configured:
rep_movsd
portal
I run the following commands on the DC server in an Admin prompt:
ktpass -out krb5.keytab -mapUser portal#BURNERDEV1.DAL1.MYCOMPANY.IO +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
C:\Users\myself\Documents\keytab>ktpass -out krb5.keytab -mapUser portal#BURNERDEV1.DAL1.MYCOMPANY.IO +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
Targeting domain controller: dal1devdc1.burnerdev1.dal1.mycompany.io
Using legacy password setting method
Failed to set property 'servicePrincipalName' to 'HTTP/mywebapp.k8s.dal1.mycompany.io' on Dn 'CN=portal,CN=Users,DC=burnerdev1,DC=dal1,
DC=mycompany,DC=io': 0x13.
WARNING: Unable to set SPN mapping data.
If portal already has an SPN mapping installed for HTTP/mywebapp.k8s.dal1.mycompany.io, this is no cause for concern.
Building salt with principalname HTTP/mywebapp.k8s.dal1.mycompany.io and domain BURNERDEV1.DAL1.MYCOMPANY.IO (encryption type 18)...
Hashing password with salt "BURNERDEV1.DAL1.MYCOMPANY.IOHTTPmywebapp.k8s.dal1.mycompany.io".
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 110 HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) k
eylength 32 (0x632d9ca3356374e9de490ec2f7718f9fb652b20da40bd212a808db4c46a72bc5)
C:\Users\myself\Documents\keytab>setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
Checking domain DC=burnerdev1,DC=dal1,DC=mycompany,DC=io
Registering ServicePrincipalNames for CN=portal,CN=Users,DC=burnerdev1,DC=dal1,DC=mycompany,DC=io
HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
Updated object
C:\Users\myself\Documents\keytab>
Now in the "Active Directory Users and Computers" section, I rightclicked the user and selected "Properties"
Then on the "Delegation" tab I set "Trust this user for delegation to any service (Kerberos only)"
Next I copy the krb5.keytab file to my webserver and restart the nginx container
On the Windows workstation which is part of the domain, I log on as rep_movsd - when I run klist:
C:\Users\rep_movsd>klist
Current LogonId is 0:0x208d7
Cached Tickets: (2)
#0> Client: rep_movsd # BURNERDEV1.DAL1.MYCOMPANY.IO
Server: krbtgt/BURNERDEV1.DAL1.MYCOMPANY.IO # BURNERDEV1.DAL1.MYCOMPANY.IO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 7/16/2020 2:05:51 (local)
End Time: 7/16/2020 12:05:51 (local)
Renew Time: 7/23/2020 2:05:51 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: rep_movsd # BURNERDEV1.DAL1.MYCOMPANY.IO
Server: HTTP/mywebapp.k8s.dal1.mycompany.io # BURNERDEV1.DAL1.MYCOMPANY.IO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/16/2020 2:06:01 (local)
End Time: 7/16/2020 12:05:51 (local)
Renew Time: 7/23/2020 2:05:51 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
I setup Firefox to do SPENGO authentication
Then I hit mywebapp.k8s.dal1.mycompany.io/ad-login and I get a 403 Forbidden error
The nginx server debug log shows:
[debug] 16#16: *195 Client sent a reasonable Negotiate header
[debug] 16#16: *195 GSSAPI authorizing
[debug] 16#16: *195 Use keytab /etc/krb5.keytab
[debug] 16#16: *195 Using service principal: HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
[debug] 16#16: *195 my_gss_name HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
[debug] 16#16: *195 gss_accept_sec_context() failed: Cannot decrypt ticket for HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO using keytab key for HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO:
[debug] 16#16: *195 GSSAPI failed
[debug] 16#16: *195 http finalize request: 403, "/ad-login?" a:1, c:1
[debug] 16#16: *195 http special response: 403, "/ad-login?"
[debug] 16#16: *195 http set discard body
[debug] 16#16: *195 charset: "" > "utf-8"
[debug] 16#16: *195 HTTP/1.1 403 Forbidden
BTW while messing around earlier - I found that if I had set a fixed password for the "portal" user with ktpass and logged in as that account on the workstation, the login would succeed.
I was under the mistaken impression that I'd need to create a new keytab for every user and combine all of them.
Any help is greatly appreciated - I read so many conflicting docs its only confused me further and I've been losing sleep over this.
Thanks in advance!
I've read your problem statement carefully, and I think if you follow the steps I wrote below the issue will be solved.
On the DC server where you are creating the keytab, (1) UAC must be temporarily disabled. (2) The user creating the keytab must be a member of the Domain Admins group.
Ensure the SPN is not a duplicate, then remove the SPN from the Active Directory user account portal. This must be done before creating a new keytab using the same SPN against the same account. The below command is a one-liner, word-wrapping makes it look like two lines.
setspn -d HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
Re-create the keytab again exactly as you did before.
You do not need to run the command setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal because SPN was already set on the Active Directory user account by the ktpass command in step 3.
Replace the old keytab with the new keytab.
Restart the nginx webserver service.
Clear browser cache AND clear Kerberos case (klist purge).
Try it again.
You must do all these steps including the final step 7. Do not skip any.
You service account is named portal. A hash of this password is stored in both Active Directory and the keytab. Same hash is in both locations. The keytab on the nginix server is utilized to decrypt the inbound Kerberos service tickets to determine who the user is attempting to access the web app. More specifically, the GSS authentication does all the work, it uses the keytab to un-scramble the encrypted service tickets. The user rep_movsd does not have the service account credentials. It is part of the Active Directory domain, and when accessing the nginix web server, it gets it's own Kerberos service ticket and its identity is proven to the web server by simply being in possession of a service ticket that is decrypted by the keytab. If it wasn't part of the BURNERDEV1.DAL1.MYCOMPANY.IO domain, or had an expired password, or was a disabled account, it would not be able to get a service ticket and thus not prove its identity and fail authentication.
If you have time, please see my TechNet Wiki article on keytab creation and the logic behind it to help you better understand this complex subject.

Soap Calls using Robot Framework

I am trying to implement soap calls testing through Robot framework.Tried various solutions that I could find on google, nothing works.
The same is working when I am testing through SOAP UI. Am I missing something , I am not sure.
new test
[Tags] abcd
Add Doctor Import http://schemas.xmlsoap.org/soap/encoding/
&{headers}= Create Dictionary Content-Type text/xml SOAPAction "" Host bfx-b2b....
${auth}= Create List Test Password3#
Create Session getPlans https://bfx-b2b.../wsdl/ProductService.wsdl auth=${auth} verify=True
${file_data}= Get Binary File ${CURDIR}/request.xml
Log ${file_data}
${byte_string}= Encode String To Bytes ${REQUEST} UTF-8
${resp}= Post Request getPlans https://bfx-b2b..../B2BWEB/services/IProductPort data=${byte_string} headers=${headers}
Log ${resp.text}
Log ${resp.status_code}
I am getting below 500 error in response.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
ESS_eBiz_Operations#uhc.com and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
Few Soap UI details -
Endpoint that I am hitting on SOAP UI -https://bfx-b2b.../B2BWEB/services/IProductPort
Raw data -
POST https://bfx-b2b.../B2BWEB/services/IProductPort HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 1822
Host: bfx-b2b...
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Cookie: SMCHALLENGE=YES
Cookie2: $Version=1
Authorization: Basic V2VsbHRoaWVfVGVzdDpQYXNzd29yZDMj
See if this example will help you:
*** Settings ***
Documentation Test with SOAP (WSDL) with two parameters that returns the country passing the IP
Library SudsLibrary
*** Variables ***
${ip} 150.162.2.1
*** Test Cases ***
ConsultaIP
Create Soap Client http://ws.cdyne.com/ip2geo/ip2geo.asmx?wsdl
${result} Call Soap Method ResolveIP ${ip} null
${country} Get Wsdl Object Attribute ${result} Country
${Latitude} Get Wsdl Object Attribute ${result} Latitude
${Longitude} Get Wsdl Object Attribute ${result} Longitude
log The IP ${ip} belongs to the country ${country}, Latitude: ${Latitude} Longitude: ${Longitude}

How to set header in robot framework for HttpLibrary.HTTP

How to set the header as content-type and authentication for robotframework
*** Variables ***
${PORT} 36504
${HOST} https://staging-product..co/api/products
${HeaderName} Content-Type
${HeaderValue} application/json
${HeaderName1} Authorization
${HeaderValue1} Token token=zkzg1VPnhcMm7uv,email=cctest7#gmail.com
*** Settings ***
Resource variables.txt
Library HttpLibrary.HTTP
Test Setup Create HTTP Context ${HOST} https
*** Test Cases ***
Set Headers
POST https://staging-product..co/api/products
Full-URL GET to MytestSsite
GET https://staging-product.connect.co/
Taken from the HTTP Library Documentation (https://peritus.github.io/robotframework-httplibrary/HttpLibrary.html)
Set Request Header | header_name, header_value |
Sets a request header for the next request.
header_name is the name of the header, e.g. User-Agent header_value is the key of the header, e.g. RobotFramework HttpLibrary (Mozilla/4.0)
A further simple example would be:
Set Request Header Content-Type application/json
or using your variables above:
Set Request Header ${HeaderName} ${HeaderValue}
Here is a full example:
Create HTTP Context ${HOST} http
${Request_Body} Get File ${xmlFilename} encoding=${Request_Body_Encoding}
Set Request Header ${HeaderName} ${HeaderValue}
Set Request Body ${Request_Body}
Log ${Request_Body}
POST ${URL}
Response Status Code Should Equal ${ResponseStatusCode}

Categories

Resources