Changeset 65:736d81819863 in ralphm-patches

Timestamp:

Aug 19, 2012, 11:19:55 PM (8 years ago)

Author:

Ralph Meijer <ralphm@…>

Branch:

default

Message:

Fold c2s cred patch, rework authenticator with initializers.

This also marks some later patches as broken (using a different guard),
as they still depend on the previous architecture.

Files:

• c2s-cred.patch (deleted)
• client_listen_authenticator.patch (modified) (12 diffs)
• listening-authenticator-stream-features.patch (modified) (14 diffs)
• series (modified) (1 diff)

client_listen_authenticator.patch

@@ -1 +1 @@
 # HG changeset patch
-# Parent 75701188facc278f61a0dfb4bcfcd2232ee771ca
+# Parent ad0f4165244b1c661023f03d8f7557fe5352337f
 Add authenticator for accepting XMPP client connections.
 
@@ -7 +7 @@
 SASL PLAIN mechanism only.
 
-This authenticator needs a backend service to hold the domain served and
-relay established connections. Upon binding a resource, its `bindResource`
-method is called with the local-part, domain and resource bound to the new
-stream.
+This authenticator needs at least one Twisted Cred portal to hold the
+domain served. After authenticating, an avatar and a logout callback are
+returned. Upon binding a resource, the avatar's `bindResource` method is
+called with the desired resource name. Upon stream disconnect, the
+logout callback is called.
 
 TODO:
@@ -16 +17 @@
  * Add tests.
  * Add docstrings.
- * Readd stream namespace check?
- * Host checks.
- * Password checks.
- * Support for multiple domains?
 
-diff -r 75701188facc wokkel/client.py
---- a/wokkel/client.py  Wed Nov 23 09:52:41 2011 +0100
-+++ b/wokkel/client.py  Wed Nov 30 09:31:07 2011 +0100
-@@ -10,14 +10,26 @@
+diff --git a/wokkel/client.py b/wokkel/client.py
+--- a/wokkel/client.py
++++ b/wokkel/client.py
+@@ -10,14 +10,28 @@
  that should probably eventually move there.
  """
@@ -30 +27 @@
 +import base64
 +
++from zope.interface import Interface
++
  from twisted.application import service
- from twisted.internet import reactor
+-from twisted.internet import reactor
++from twisted.cred import credentials, error as ecred
++from twisted.internet import defer, reactor
 +from twisted.python import log
  from twisted.names.srvconnect import SRVConnector
@@ -43 +44 @@
 +NS_CLIENT = 'jabber:client'
 +
-+XPATH_ALL = "/*"
 +XPATH_AUTH = "/auth[@xmlns='%s']" % sasl.NS_XMPP_SASL
 +XPATH_BIND = "/iq[@type='set']/bind[@xmlns='%s']" % client.NS_XMPP_BIND
@@ -52 +52 @@
      """
      Check what authentication methods are available.
-@@ -51,7 +63,7 @@
+@@ -51,7 +65,7 @@
      autentication.
      """
@@ -61 +61 @@
      def __init__(self, jid, password):
          xmlstream.ConnectAuthenticator.__init__(self, jid.host)
-@@ -186,3 +198,152 @@
+@@ -186,3 +200,210 @@
      c = XMPPClientConnector(reactor, domain, factory)
      c.connect()
@@ -68 +68 @@
 +
 +
-+class XMPPClientListenAuthenticator(xmlstream.ListenAuthenticator):
-+    namespace = NS_CLIENT
-+
-+    def __init__(self, service):
-+        self.service = service
++class InvalidMechanism(Exception):
++    """
++    The requested SASL mechanism is invalid.
++    """
++
++
++class IAccount(Interface):
++    pass
++
++
++
++class SASLReceivingInitializer(object):
++    required = True
++
++    def __init__(self, xs, portal):
++        self.xmlstream = xs
++        self.portal = portal
++        self.deferred = defer.Deferred()
 +        self.failureGrace = 3
-+        self.state = 'auth'
-+
-+
-+    def associateWithStream(self, xs):
-+        xmlstream.ListenAuthenticator.associateWithStream(self, xs)
-+        self.xmlstream.addObserver(XPATH_ALL, self.onElementFallback, -1)
-+
-+
-+    def onElementFallback(self, element):
-+        if element.handled:
-+            return
-+
-+        exc = error.StreamError('not-authorized')
-+        self.xmlstream.sendStreamError(exc)
-+
-+
-+    def streamStarted(self, rootElement):
-+        xmlstream.ListenAuthenticator.streamStarted(self, rootElement)
-+
-+        # check namespace
-+        #if self.xmlstream.namespace != self.namespace:
-+        #    self.xmlstream.namespace = self.namespace
-+        #    exc = error.StreamError('invalid-namespace')
-+        #    self.xmlstream.sendStreamError(exc)
-+        #    return
-+
-+        # TODO: check domain (self.service.domain)
-+
-+        self.xmlstream.sendHeader()
-+
-+        try:
-+            stateHandlerName = 'streamStarted_' + self.state
-+            stateHandler = getattr(self, stateHandlerName)
-+        except AttributeError:
-+            log.msg('streamStarted handler for', self.state, 'not found')
-+        else:
-+            stateHandler()
-+
-+
-+    def toState(self, state):
-+        self.state = state
-+        if state == 'initialized':
-+            self.xmlstream.removeObserver(XPATH_ALL, self.onElementFallback)
-+            self.xmlstream.addOnetimeObserver(XPATH_SESSION, self.onSession, 1)
-+            self.xmlstream.dispatch(self.xmlstream,
-+                                    xmlstream.STREAM_AUTHD_EVENT)
-+
-+
-+    def streamStarted_auth(self):
-+        features = domish.Element((xmlstream.NS_STREAMS, 'features'))
-+        features.addElement((sasl.NS_XMPP_SASL, 'mechanisms'))
-+        features.mechanisms.addElement('mechanism', content='PLAIN')
-+        self.xmlstream.send(features)
-+        self.xmlstream.addOnetimeObserver(XPATH_AUTH, self.onAuth)
++
++
++    def getFeatures(self):
++        feature = domish.Element((sasl.NS_XMPP_SASL, 'mechanisms'))
++        feature.addElement('mechanism', content='PLAIN')
++        return [feature]
++
++
++    def initialize(self):
++        self.xmlstream.addObserver(XPATH_AUTH, self.onAuth)
++        return self.deferred
 +
 +
@@ -133 +103 @@
 +        auth.handled = True
 +
-+        if auth.getAttribute('mechanism') != 'PLAIN':
-+            failure = domish.Element((sasl.NS_XMPP_SASL, 'failure'))
-+            failure.addElement('invalid-mechanism')
-+            self.xmlstream.send(failure)
++        def cb(_):
++            response = domish.Element((sasl.NS_XMPP_SASL, 'success'))
++            self.xmlstream.send(response)
++            self.xmlstream.reset()
++
++        def eb(failure):
++            if failure.check(ecred.UnauthorizedLogin):
++                condition = 'not-authorized'
++            elif failure.check(InvalidMechanism):
++                condition = 'invalid-mechanism'
++            else:
++                log.err(failure)
++                condition = 'temporary-auth-failure'
++
++            response = domish.Element((sasl.NS_XMPP_SASL, 'failure'))
++            response.addElement(condition)
++            self.xmlstream.send(response)
 +
 +            # Close stream on too many failing authentication attempts
 +            self.failureGrace -= 1
 +            if self.failureGrace == 0:
-+                self.xmlstream.sendFooter()
-+            else:
-+                self.xmlstream.addOnetimeObserver(XPATH_AUTH, self.onAuth)
-+
-+            return
-+
++                raise error.StreamError('policy-violation')
++                #self.xmlstream.sendStreamError(exc)
++
++        d = defer.maybeDeferred(self.doAuth, auth)
++        d.addCallbacks(cb, eb)
++        d.chainDeferred(self.deferred)
++
++
++    def credentialsFromPlain(self, auth):
 +        initialResponse = base64.b64decode(unicode(auth))
 +        authzid, authcid, passwd = initialResponse.split('\x00')
 +
-+        # TODO: check passwd
-+
-+        # authenticated
-+
-+        self.username = authcid
-+
-+        success = domish.Element((sasl.NS_XMPP_SASL, 'success'))
-+        self.xmlstream.send(success)
-+        self.xmlstream.reset()
-+
-+        self.toState('bind')
-+
-+
-+    def streamStarted_bind(self):
-+        features = domish.Element((xmlstream.NS_STREAMS, 'features'))
-+        features.addElement((client.NS_XMPP_BIND, 'bind'))
-+        features.addElement((client.NS_XMPP_SESSION, 'session'))
-+        self.xmlstream.send(features)
++        # FIXME: bail if authzid is set
++
++        creds = credentials.UsernamePassword(username=authcid.encode('utf-8'),
++                                             password=passwd)
++        return creds
++
++
++    def doAuth(self, auth):
++
++        if auth.getAttribute('mechanism') != 'PLAIN':
++            raise InvalidMechanism()
++
++        creds = self.credentialsFromPlain(auth)
++
++        def cb((iface, avatar, logout)):
++            self.xmlstream.avatar = avatar
++            self.xmlstream.addObserver(xmlstream.STREAM_END_EVENT,
++                                       lambda _: logout())
++
++        d = self.portal.login(creds, None, IAccount)
++        d.addCallback(cb)
++        return d
++
++
++
++class BindReceivingInitializer(object):
++    required = True
++
++    def __init__(self, xs):
++        self.xmlstream = xs
++        self.deferred = defer.Deferred()
++
++
++    def getFeatures(self):
++        feature = domish.Element((client.NS_XMPP_BIND, 'bind'))
++        return [feature]
++
++
++    def initialize(self):
 +        self.xmlstream.addOnetimeObserver(XPATH_BIND, self.onBind)
++        return self.deferred
 +
 +
@@ -174 +182 @@
 +        def cb(boundJID):
 +            self.xmlstream.otherEntity = boundJID
-+            self.toState('initialized')
 +
 +            response = xmlstream.toResponse(iq, 'result')
@@ -194 +201 @@
 +        iq.handled = True
 +        resource = unicode(iq.bind) or None
-+        d = self.service.bindResource(self.username,
-+                                      self.service.domain,
-+                                      resource)
++        d = self.xmlstream.avatar.bindResource(resource)
 +        d.addCallback(cb)
 +        d.addErrback(eb)
 +        d.addCallback(self.xmlstream.send)
++        d.chainDeferred(self.deferred)
++
++
++
++class SessionReceivingInitializer(object):
++    required = False
++
++    def __init__(self, xs):
++        self.xmlstream = xs
++        self.deferred = defer.Deferred()
++
++
++    def getFeatures(self):
++        feature = domish.Element((client.NS_XMPP_SESSION, 'session'))
++        return [feature]
++
++
++    def initialize(self):
++        self.xmlstream.addOnetimeObserver(XPATH_SESSION, self.onSession, 1)
++        return self.deferred
 +
 +
@@ -206 +231 @@
 +
 +        reply = domish.Element((None, 'iq'))
-+        reply['type'] = 'result'
-+        if iq.getAttribute('id'):
-+            reply['id'] = iq['id']
-+        reply.addElement((client.NS_XMPP_SESSION, 'session'))
++
++        if self.xmlstream.otherEntity:
++            reply = xmlstream.toResponse(iq)
++        else:
++            reply = error.StanzaError('forbidden').toResponse(iq)
 +        self.xmlstream.send(reply)
-+
-+
-+
++        self.deferred.callback(None)
++
++
++
++class XMPPClientListenAuthenticator(generic.FeatureListenAuthenticator):
++    namespace = NS_CLIENT
++
++    def __init__(self, portals):
++        generic.FeatureListenAuthenticator.__init__(self)
++        self.portals = portals
++        self.portal = None
++
++
++    def getInitializers(self):
++        if not self.completedInitializers:
++            return [SASLReceivingInitializer(self.xmlstream, self.portal)]
++        elif isinstance(self.completedInitializers[-1],
++                        SASLReceivingInitializer):
++            return [BindReceivingInitializer(self.xmlstream),
++                    SessionReceivingInitializer(self.xmlstream)]
++        else:
++            return []
++
++
++    def checkStream(self):
++        generic.FeatureListenAuthenticator.checkStream(self)
++
++        if not self.xmlstream.thisEntity:
++            raise error.StreamError('improper-addressing')
++
++        # Check if we serve the domain and use the associated portal.
++        try:
++            self.portal = self.portals[self.xmlstream.thisEntity]
++        except KeyError:
++            raise error.StreamError('host-unknown')
+diff --git a/wokkel/test/test_client.py b/wokkel/test/test_client.py
+--- a/wokkel/test/test_client.py
++++ b/wokkel/test/test_client.py
+@@ -5,14 +5,21 @@
+ Tests for L{wokkel.client}.
+ """
+ 
++from zope.interface import implements
++
++from twisted.cred.portal import IRealm, Portal
++from twisted.cred.checkers import InMemoryUsernamePasswordDatabaseDontUse
+ from twisted.internet import defer
+ from twisted.trial import unittest
+ from twisted.words.protocols.jabber import xmlstream
+ from twisted.words.protocols.jabber.client import XMPPAuthenticator
+ from twisted.words.protocols.jabber.jid import JID
++from twisted.words.protocols.jabber.sasl import NS_XMPP_SASL
++from twisted.words.protocols.jabber.xmlstream import INIT_FAILED_EVENT
++from twisted.words.protocols.jabber.xmlstream import NS_STREAMS
+ from twisted.words.protocols.jabber.xmlstream import STREAM_AUTHD_EVENT
+-from twisted.words.protocols.jabber.xmlstream import INIT_FAILED_EVENT
+ from twisted.words.protocols.jabber.xmlstream import XMPPHandler
++from twisted.words.xish import xpath
+ 
+ from wokkel import client
+ 
+@@ -155,3 +162,167 @@
+         self.assertEqual(factory.deferred, d2)
+ 
+         return d1
++
++
++class TestAccount(object):
++    implements(client.IAccount)
++
++
++class TestRealm(object):
++
++    implements(IRealm)
++
++    logoutCalled = False
++
++    def requestAvatar(self, avatarId, mind, *interfaces):
++        return (client.IAccount, TestAccount(), self.logout)
++
++
++    def logout(self):
++        self.logoutCalled = True
++
++
++class TestableXmlStream(xmlstream.XmlStream):
++
++    def __init__(self, authenticator):
++        xmlstream.XmlStream.__init__(self, authenticator)
++        self.headerSent = False
++        self.footerSent = False
++        self.streamErrors = []
++        self.output = []
++
++
++    def reset(self):
++        xmlstream.XmlStream.reset(self)
++        self.headerSent = False
++
++
++    def sendHeader(self):
++        self.headerSent = True
++
++
++    def sendFooter(self):
++        self.footerSent = True
++
++
++    def sendStreamError(self, streamError):
++        self.streamErrors.append(streamError)
++
++
++    def send(self, obj):
++        self.output.append(obj)
++
++
++class XMPPClientListenAuthenticatorTest(unittest.TestCase):
++    """
++    Tests for L{client.XMPPClientListenAuthenticator}.
++    """
++
++    def setUp(self):
++        self.output = []
++        realm = TestRealm()
++        checker = InMemoryUsernamePasswordDatabaseDontUse(test='secret')
++        portal = Portal(realm, (checker,))
++        portals = {JID('example.org'): portal}
++        self.authenticator = client.XMPPClientListenAuthenticator(portals)
++        self.xmlstream = TestableXmlStream(self.authenticator)
++        self.xmlstream.makeConnection(self)
++
++
++    def loseConnection(self):
++        """
++        Stub loseConnection because we are a transport.
++        """
++        self.xmlstream.connectionLost("no reason")
++
++
++    def test_streamStarted(self):
++        xs = self.xmlstream
++        xs.dataReceived("<stream:stream xmlns='jabber:client' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "to='example.org' "
++                         "version='1.0'>")
++
++        self.assertTrue(xs.headerSent)
++
++        # Extract SASL mechanisms
++        features = xs.output[-1]
++        self.assertEquals(NS_STREAMS, features.uri)
++        self.assertEquals('features', features.name)
++        parent = features.elements(NS_XMPP_SASL, 'mechanisms').next()
++        mechanisms = set()
++        for child in parent.elements(NS_XMPP_SASL, 'mechanism'):
++            mechanisms.add(unicode(child))
++
++        self.assertIn('PLAIN', mechanisms)
++
++
++    def test_streamStartedWrongNamespace(self):
++        """
++        An incorrect stream namespace causes a stream error.
++        """
++        xs = self.xmlstream
++        xs.dataReceived("<stream:stream xmlns='jabber:server' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "to='example.org' "
++                         "version='1.0'>")
++        streamError = xs.streamErrors[-1]
++        self.assertEquals('invalid-namespace', streamError.condition)
++
++
++    def test_streamStartedNoTo(self):
++        """
++        A missing 'to' attribute on the stream header causes a stream error.
++        """
++        xs = self.xmlstream
++        xs.dataReceived("<stream:stream xmlns='jabber:client' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "version='1.0'>")
++        streamError = xs.streamErrors[-1]
++        self.assertEquals('improper-addressing', streamError.condition)
++
++
++    def test_streamStartedUnknownHost(self):
++        """
++        An unknown 'to' on the stream header causes a stream error.
++        """
++        xs = self.xmlstream
++        xs.dataReceived("<stream:stream xmlns='jabber:client' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "to='example.com' "
++                         "version='1.0'>")
++        streamError = xs.streamErrors[-1]
++        self.assertEquals('host-unknown', streamError.condition)
++
++
++    def test_auth(self):
++        """
++        Authenticating causes an avatar to be set on the authenticator.
++        """
++        xs = self.xmlstream
++        xs.dataReceived("<stream:stream xmlns='jabber:client' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "to='example.org' "
++                         "version='1.0'>")
++        xs.output = []
++        xs.dataReceived("<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' "
++                         "mechanism='PLAIN'>AHRlc3QAc2VjcmV0</auth>")
++        self.assertTrue(client.IAccount.providedBy(self.xmlstream.avatar))
++
++
++    def test_authInvalidMechanism(self):
++        """
++        Authenticating with an invalid SASL mechanism causes a streamError.
++        """
++        xs = self.xmlstream
++        xs.dataReceived("<stream:stream xmlns='jabber:client' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "to='example.org' "
++                         "version='1.0'>")
++        xs.output = []
++        xs.dataReceived("<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' "
++                         "mechanism='unknown'/>")
++        xpath.matches(("/failure[@xmlns='%s']"
++                       "/invalid-mechanism[@xmlns='%s']" %
++                       (NS_XMPP_SASL, NS_XMPP_SASL)),
++                      xs.output[-1])

listening-authenticator-stream-features.patch

@@ -1 +1 @@
 # HG changeset patch
-# Parent 4f4ccf34fee8357fdf4fbf1a741e4c5113553d5d
+# Parent 8b17590769db3088336f1fa65710c48e5ad5dcc1
+Add FeatureListeningAuthenticator.
+
+This new authenticator is for incoming streams and uses initializers
+for stream negotiation, similar to inializers for clients.
+
+TODO:
+
+ * Add docstrings.
+ * Add support for stream restarts.
 
 diff --git a/wokkel/generic.py b/wokkel/generic.py
 --- a/wokkel/generic.py
 +++ b/wokkel/generic.py
-@@ -327,3 +327,74 @@
+@@ -25,6 +25,8 @@
+ NS_VERSION = 'jabber:iq:version'
+ VERSION = IQ_GET + '/query[@xmlns="' + NS_VERSION + '"]'
+ 
++XPATH_ALL = "/*"
++
+ def parseXml(string):
+     """
+     Parse serialized XML into a DOM structure.
+@@ -327,3 +329,116 @@
  
      def clientConnectionFailed(self, connector, reason):
@@ -18 +36 @@
 +        self.headerSent = False
 +        self.footerSent = False
-+        self.streamErrors = []
++        self.streamError = None
 +        self.output = []
 +
@@ -36 +54 @@
 +
 +    def sendStreamError(self, streamError):
-+        self.streamErrors.append(streamError)
++        self.streamError = streamError
 +
 +
@@ -48 +66 @@
 +    Authenticator for receiving entities with support for initializers.
 +    """
++
++    def __init__(self):
++        self.completedInitializers = []
++
++
++    def _onElementFallback(self, element):
++        """
++        Fallback observer that rejects XML Stanzas.
++
++        This observer is active while stream feature negotiation has not yet
++        completed.
++        """
++        # ignore elements that are not XML Stanzas
++        if (element.uri not in (self.namespace) or
++            element.name not in ('iq', 'message', 'presence')):
++            return
++
++        # ignore elements that have already been handled
++        if element.handled:
++            return
++
++        exc = error.StreamError('not-authorized')
++        self.xmlstream.sendStreamError(exc)
++
 +
 +    def _initializeStream(self):
 +        def cb(result):
 +            result, index = result
-+            del self.initializers[index]
++            self.completedInitializers.append(self._initializers[index])
++            del self._initializers[index]
 +            self._initializeStream()
 +
@@ -58 +101 @@
 +        ds = []
 +        required = False
-+        for initializer in self.initializers:
++        for initializer in self._initializers:
 +            required = required or initializer.required
 +            for feature in initializer.getFeatures():
@@ -66 +109 @@
 +        self.xmlstream.send(features)
 +        if not required:
++            self.xmlstream.removeObserver(XPATH_ALL, self._onElementFallback)
 +            self.xmlstream.dispatch(self.xmlstream, xmlstream.STREAM_AUTHD_EVENT)
 +        if ds:
@@ -71 +115 @@
 +            d.addCallback(cb)
 +
++    def getInitializers(self):
++        return []
++
++
++    def checkStream(self):
++        # check namespace
++        if self.xmlstream.namespace != self.namespace:
++            self.xmlstream.namespace = self.namespace
++            raise error.StreamError('invalid-namespace')
 +
 +
 +    def streamStarted(self, rootElement):
 +        xmlstream.ListenAuthenticator.streamStarted(self, rootElement)
-+        # check headers?
++
++        try:
++            self.checkStream()
++        except error.StreamError, exc:
++            self.xmlstream.sendStreamError(exc)
++            return
++
++        self.xmlstream.addObserver(XPATH_ALL, self._onElementFallback, -1)
 +        self.xmlstream.sendHeader()
-+        self.initializers = self.getInitializers()
++
++        self._initializers = self.getInitializers()
 +        self._initializeStream()
-+
 diff --git a/wokkel/test/test_generic.py b/wokkel/test/test_generic.py
 --- a/wokkel/test/test_generic.py
@@ -92 +152 @@
  from twisted.words.xish import domish
  from twisted.words.protocols.jabber.jid import JID
-+from twisted.words.protocols.jabber import xmlstream
++from twisted.words.protocols.jabber import error, xmlstream
  
  from wokkel import generic
  from wokkel.test.helpers import XmlStreamStub
-@@ -268,3 +271,79 @@
+@@ -268,3 +271,218 @@
          The default is no timeout.
          """
@@ -102 +162 @@
 +
 +
++
++class TestableReceivingInitializer(object):
++    """
++    Testable initializer for receiving entities.
++
++    This initializer advertises support for a stream feature denoted by
++    C{uri} and C{name}. Its C{deferred} should be fired to complete
++    initialization for this initializer.
++
++    @ivar uri: Namespace of the stream feature.
++    @ivar name: Element localname for the stream feature.
++    """
++    required = True
++
++    def __init__(self, xs, uri, name):
++        self.xmlstream = xs
++        self.uri = uri
++        self.name = name
++        self.deferred = defer.Deferred()
++
++
++    def getFeatures(self):
++        return [domish.Element((self.uri, self.name))]
++
++
++    def initialize(self):
++        return self.deferred
 +
 +class FeatureListenAuthenticatorTest(unittest.TestCase):
@@ -112 +199 @@
 +        self.initFailure = None
 +        self.authenticator = generic.FeatureListenAuthenticator()
++        self.authenticator.namespace = 'jabber:server'
 +        self.xmlstream = generic.TestableXmlStream(self.authenticator)
 +        self.xmlstream.addObserver('//event/stream/authd',
@@ -118 +206 @@
 +                                   self.onInitFailed)
 +
++        self.init = TestableReceivingInitializer(self.xmlstream, 'testns', 'test')
++
++        def getInitializers():
++            return [self.init]
++
++        self.authenticator.getInitializers = getInitializers
++
 +
 +    def onAuthenticated(self, obj):
@@ -133 +228 @@
 +        The method getInitializers will determine the available stream
 +        initializers given the current state of stream initialization.
-+        Then, each of the returned initializers will be called to set
++        hen, each of the returned initializers will be called to set
 +        themselves up.
 +        """
-+        class Initializer(object):
-+            required = True
-+            def __init__(self, xs):
-+                self.xmlstream = xs
-+                self.deferred = defer.Deferred()
-+            def getFeatures(self):
-+                return [domish.Element(('testns', 'test'))]
-+            def initialize(self):
-+                return self.deferred
-+
-+        init = Initializer(self.xmlstream)
-+
-+        def getInitializers():
-+            return [init]
-+
-+        self.authenticator.getInitializers = getInitializers
 +
 +        xs = self.xmlstream
@@ -164 +243 @@
 +        # Check if features were sent
 +        features = xs.output[-1]
-+        print features.toXml()
 +        self.assertEquals(xmlstream.NS_STREAMS, features.uri)
 +        self.assertEquals('features', features.name)
 +        feature = features.elements().next()
-+        print feature.toXml()
 +        self.assertEqual('testns', feature.uri)
 +        self.assertEqual('test', feature.name)
@@ -174 +251 @@
 +        self.assertFalse(self.gotAuthenticated)
 +
-+        init.deferred.callback(None)
++        self.init.deferred.callback(None)
 +        self.assertTrue(self.gotAuthenticated)
++
++
++    def test_streamStartedInitializerCompleted(self):
++        """
++        Succesfully finished initializers are recorded.
++        """
++        xs = self.xmlstream
++        xs.makeConnection(proto_helpers.StringTransport())
++        xs.dataReceived("<stream:stream xmlns='jabber:server' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "from='example.com' to='example.org' id='12345' "
++                         "version='1.0'>")
++
++        self.init.deferred.callback(None)
++        self.assertEqual([self.init], self.authenticator.completedInitializers)
++
++
++    def test_streamStartedXmlStanzasRejected(self):
++        """
++        XML Stanzas may not be sent before feature negotiation has completed.
++        """
++        xs = self.xmlstream
++        xs.makeConnection(proto_helpers.StringTransport())
++        xs.dataReceived("<stream:stream xmlns='jabber:server' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "from='example.com' to='example.org' id='12345' "
++                         "version='1.0'>")
++
++        xs.dataReceived("<iq to='example.org' from='example.com' type='set'>"
++                        "  <query xmlns='jabber:iq:version'/>"
++                        "</iq>")
++
++        self.assertEqual('not-authorized', xs.streamError.condition)
++
++
++    def test_streamStartedCompleteXmlStanzasAllowed(self):
++        """
++        XML Stanzas may sent after feature negotiation has completed.
++        """
++        xs = self.xmlstream
++        xs.makeConnection(proto_helpers.StringTransport())
++        xs.dataReceived("<stream:stream xmlns='jabber:server' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "from='example.com' to='example.org' id='12345' "
++                         "version='1.0'>")
++
++        self.init.deferred.callback(None)
++
++        xs.dataReceived("<iq to='example.org' from='example.com' type='set'>"
++                        "  <query xmlns='jabber:iq:version'/>"
++                        "</iq>")
++
++        self.assertIdentical(None, xs.streamError)
++
++
++    def test_streamStartedXmlStanzasHandledIgnored(self):
++        """
++        XML Stanzas that have already been handled are ignored.
++        """
++        xs = self.xmlstream
++        xs.makeConnection(proto_helpers.StringTransport())
++        xs.dataReceived("<stream:stream xmlns='jabber:server' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "from='example.com' to='example.org' id='12345' "
++                         "version='1.0'>")
++
++        iq = generic.parseXml("<iq to='example.org' from='example.com' type='set'>"
++                              "  <query xmlns='jabber:iq:version'/>"
++                              "</iq>")
++        iq.handled = True
++        xs.dispatch(iq)
++
++        self.assertIdentical(None, xs.streamError)
++
++
++    def test_streamStartedNonXmlStanzasIgnored(self):
++        """
++        Elements that are not XML Stranzas are not rejected.
++        """
++        xs = self.xmlstream
++        xs.makeConnection(proto_helpers.StringTransport())
++        xs.dataReceived("<stream:stream xmlns='jabber:server' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "from='example.com' to='example.org' id='12345' "
++                         "version='1.0'>")
++
++        xs.dataReceived("<test xmlns='myns'/>")
++
++        self.assertIdentical(None, xs.streamError)
++
++
++    def test_streamStartedCheckStream(self):
++        """
++        Stream errors raised by checkStream are sent out.
++        """
++        def checkStream():
++            raise error.StreamError('undefined-condition')
++
++        self.authenticator.checkStream = checkStream
++        xs = self.xmlstream
++        xs.makeConnection(proto_helpers.StringTransport())
++        xs.dataReceived("<stream:stream xmlns='jabber:server' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "from='example.com' to='example.org' id='12345' "
++                         "version='1.0'>")
++
++        self.assertEqual('undefined-condition', xs.streamError.condition)
++        self.assertFalse(xs.headerSent)
++
++
++    def test_checkStreamNamespace(self):
++        """
++        The stream namespace must match the pre-defined stream namespace.
++        """
++        xs = self.xmlstream
++        xs.makeConnection(proto_helpers.StringTransport())
++        xs.dataReceived("<stream:stream xmlns='jabber:client' "
++                         "xmlns:stream='http://etherx.jabber.org/streams' "
++                         "from='example.com' to='example.org' id='12345' "
++                         "version='1.0'>")
++
++        self.assertEqual('invalid-namespace', xs.streamError.condition)

series

@@ -1 +1 @@
 roster_server.patch #+c2s
 router_unknown.patch #+c2s
+
+listening-authenticator-stream-features.patch #+c2s
 client_listen_authenticator.patch #+c2s
-c2s-cred.patch #+c2s
-listening-authenticator-stream-features.patch
 
-c2s_server_factory.patch #+c2s
-session_manager.patch #+c2s
-c2s_stanza_handlers.patch #+c2s
+c2s_server_factory.patch #+c2s-broken
+session_manager.patch #+c2s-broken
+c2s_stanza_handlers.patch #+c2s-broken
 
 version.patch