aboutsummaryrefslogtreecommitdiff
path: root/tests/unit_tests/http_auth.cpp
diff options
context:
space:
mode:
authorLee Clagett <code@leeclagett.com>2016-12-30 01:47:57 -0500
committerLee Clagett <code@leeclagett.com>2017-01-11 03:21:17 -0500
commitd81cb0870442a919388df181d2134535bc6d1425 (patch)
tree8f6560acdf3d463fa087f0c55fc057b35ae9126e /tests/unit_tests/http_auth.cpp
parentMerge pull request #1542 (diff)
downloadmonero-d81cb0870442a919388df181d2134535bc6d1425.tar.xz
Added (not yet enabled) HTTP client authentication
Diffstat (limited to 'tests/unit_tests/http_auth.cpp')
-rw-r--r--tests/unit_tests/http_auth.cpp351
1 files changed, 302 insertions, 49 deletions
diff --git a/tests/unit_tests/http_auth.cpp b/tests/unit_tests/http_auth.cpp
index 7158850b6..97954642f 100644
--- a/tests/unit_tests/http_auth.cpp
+++ b/tests/unit_tests/http_auth.cpp
@@ -61,6 +61,7 @@
#include "string_tools.h"
namespace {
+namespace http = epee::net_utils::http;
using fields = std::unordered_map<std::string, std::string>;
using auth_responses = std::vector<fields>;
@@ -71,17 +72,28 @@ std::string quoted(std::string str)
return str;
}
-epee::net_utils::http::http_request_info make_request(const fields& args)
+void write_fields(std::string& out, const fields& args)
{
namespace karma = boost::spirit::karma;
-
- std::string out{" DIGEST "};
karma::generate(
std::back_inserter(out),
(karma::string << " = " << karma::string) % " , ",
args);
+}
+
+std::string write_fields(const fields& args)
+{
+ std::string out{};
+ write_fields(out, args);
+ return out;
+}
- epee::net_utils::http::http_request_info request{};
+http::http_request_info make_request(const fields& args)
+{
+ std::string out{" DIGEST "};
+ write_fields(out, args);
+
+ http::http_request_info request{};
request.m_http_method_str = "NOP";
request.m_header_info.m_etc_fields.push_back(
std::make_pair(u8"authorization", std::move(out))
@@ -89,6 +101,21 @@ epee::net_utils::http::http_request_info make_request(const fields& args)
return request;
}
+http::http_response_info make_response(const auth_responses& choices)
+{
+ http::http_response_info response{};
+ for (const auto& choice : choices)
+ {
+ std::string out{" DIGEST "};
+ write_fields(out, choice);
+
+ response.m_additional_fields.push_back(
+ std::make_pair(u8"WWW-authenticate", std::move(out))
+ );
+ }
+ return response;
+}
+
bool has_same_fields(const auth_responses& in)
{
const std::vector<std::string> check{u8"nonce", u8"qop", u8"realm", u8"stale"};
@@ -113,7 +140,7 @@ bool has_same_fields(const auth_responses& in)
return true;
}
-bool is_unauthorized(const epee::net_utils::http::http_response_info& response)
+bool is_unauthorized(const http::http_response_info& response)
{
EXPECT_EQ(401, response.m_response_code);
EXPECT_STREQ(u8"Unauthorized", response.m_response_comment.c_str());
@@ -123,39 +150,44 @@ bool is_unauthorized(const epee::net_utils::http::http_response_info& response)
response.m_mime_tipe == u8"text/html";
}
-
-auth_responses parse_response(const epee::net_utils::http::http_response_info& response)
+fields parse_fields(const std::string& value)
{
namespace qi = boost::spirit::qi;
+ fields out{};
+ const bool rc = qi::parse(
+ value.begin(), value.end(),
+ qi::lit(u8"Digest ") >> ((
+ +qi::ascii::alpha >>
+ qi::lit('=') >> (
+ (qi::lit('"') >> +(qi::ascii::char_ - '"') >> qi::lit('"')) |
+ +(qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}"))
+ )
+ ) % ','
+ ) >> qi::eoi,
+ out
+ );
+ if (!rc)
+ throw std::runtime_error{"Bad field given in HTTP header"};
+
+ return out;
+}
+
+auth_responses parse_response(const http::http_response_info& response)
+{
auth_responses result{};
const auto end = response.m_additional_fields.end();
- for (auto current = response.m_additional_fields.begin(); current != end; ++current)
+ for (auto current = response.m_additional_fields.begin();; ++current)
{
current = std::find_if(current, end, [] (const std::pair<std::string, std::string>& field) {
- return boost::iequals(u8"www-authenticate", field.first);
+ return boost::equals(u8"WWW-authenticate", field.first);
});
if (current == end)
return result;
- std::unordered_map<std::string, std::string> fields{};
- const bool rc = qi::parse(
- current->second.begin(), current->second.end(),
- qi::lit(u8"Digest ") >> ((
- +qi::ascii::alpha >>
- qi::lit('=') >> (
- (qi::lit('"') >> +(qi::ascii::char_ - '"') >> qi::lit('"')) |
- +(qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}"))
- )
- ) % ','
- ) >> qi::eoi,
- fields
- );
-
- if (rc)
- result.push_back(std::move(fields));
+ result.push_back(parse_fields(current->second));
}
return result;
}
@@ -175,15 +207,20 @@ std::string md5_hex(const std::string& in)
return epee::string_tools::pod_to_hex(digest);
}
-std::string get_a1(const epee::net_utils::http::http_auth::login& user, const auth_responses& responses)
+std::string get_a1(const http::login& user, const fields& src)
{
- const std::string& realm = responses.at(0).at(u8"realm");
+ const std::string& realm = src.at(u8"realm");
return boost::join(
std::vector<std::string>{user.username, realm, user.password}, u8":"
);
}
-std::string get_a1_sess(const epee::net_utils::http::http_auth::login& user, const std::string& cnonce, const auth_responses& responses)
+std::string get_a1(const http::login& user, const auth_responses& responses)
+{
+ return get_a1(user, responses.at(0));
+}
+
+std::string get_a1_sess(const http::login& user, const std::string& cnonce, const auth_responses& responses)
{
const std::string& nonce = responses.at(0).at(u8"nonce");
return boost::join(
@@ -210,36 +247,36 @@ std::string get_nc(std::uint32_t count)
}
}
-TEST(HTTP_Auth, NotRequired)
+TEST(HTTP_Server_Auth, NotRequired)
{
- epee::net_utils::http::http_auth auth{};
- EXPECT_FALSE(auth.get_response(epee::net_utils::http::http_request_info{}));
+ http::http_server_auth auth{};
+ EXPECT_FALSE(auth.get_response(http::http_request_info{}));
}
-TEST(HTTP_Auth, MissingAuth)
+TEST(HTTP_Server_Auth, MissingAuth)
{
- epee::net_utils::http::http_auth auth{{"foo", "bar"}};
- EXPECT_TRUE(bool(auth.get_response(epee::net_utils::http::http_request_info{})));
+ http::http_server_auth auth{{"foo", "bar"}};
+ EXPECT_TRUE(bool(auth.get_response(http::http_request_info{})));
{
- epee::net_utils::http::http_request_info request{};
+ http::http_request_info request{};
request.m_header_info.m_etc_fields.push_back({"\xFF", "\xFF"});
EXPECT_TRUE(bool(auth.get_response(request)));
}
}
-TEST(HTTP_Auth, BadSyntax)
+TEST(HTTP_Server_Auth, BadSyntax)
{
- epee::net_utils::http::http_auth auth{{"foo", "bar"}};
+ http::http_server_auth auth{{"foo", "bar"}};
EXPECT_TRUE(bool(auth.get_response(make_request({{u8"algorithm", "fo\xFF"}}))));
EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce", "\"000\xFF\""}}))));
EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce \xFF =", "\"000\xFF\""}}))));
EXPECT_TRUE(bool(auth.get_response(make_request({{u8" \xFF cnonce", "\"000\xFF\""}}))));
}
-TEST(HTTP_Auth, MD5)
+TEST(HTTP_Server_Auth, MD5)
{
- epee::net_utils::http::http_auth::login user{"foo", "bar"};
- epee::net_utils::http::http_auth auth{user};
+ http::login user{"foo", "bar"};
+ http::http_server_auth auth{user};
const auto response = auth.get_response(make_request(fields{}));
ASSERT_TRUE(bool(response));
@@ -283,12 +320,12 @@ TEST(HTTP_Auth, MD5)
EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
}
-TEST(HTTP_Auth, MD5_sess)
+TEST(HTTP_Server_Auth, MD5_sess)
{
constexpr const char cnonce[] = "not a good cnonce";
- epee::net_utils::http::http_auth::login user{"foo", "bar"};
- epee::net_utils::http::http_auth auth{user};
+ http::login user{"foo", "bar"};
+ http::http_server_auth auth{user};
const auto response = auth.get_response(make_request(fields{}));
ASSERT_TRUE(bool(response));
@@ -334,13 +371,13 @@ TEST(HTTP_Auth, MD5_sess)
EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
}
-TEST(HTTP_Auth, MD5_auth)
+TEST(HTTP_Server_Auth, MD5_auth)
{
constexpr const char cnonce[] = "not a nonce";
constexpr const char qop[] = "auth";
- epee::net_utils::http::http_auth::login user{"foo", "bar"};
- epee::net_utils::http::http_auth auth{user};
+ http::login user{"foo", "bar"};
+ http::http_server_auth auth{user};
const auto response = auth.get_response(make_request(fields{}));
ASSERT_TRUE(bool(response));
@@ -402,13 +439,13 @@ TEST(HTTP_Auth, MD5_auth)
EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
}
-TEST(HTTP_Auth, MD5_sess_auth)
+TEST(HTTP_Server_Auth, MD5_sess_auth)
{
constexpr const char cnonce[] = "not a nonce";
constexpr const char qop[] = "auth";
- epee::net_utils::http::http_auth::login user{"foo", "bar"};
- epee::net_utils::http::http_auth auth{user};
+ http::login user{"foo", "bar"};
+ http::http_server_auth auth{user};
const auto response = auth.get_response(make_request(fields{}));
ASSERT_TRUE(bool(response));
@@ -469,3 +506,219 @@ TEST(HTTP_Auth, MD5_sess_auth)
EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce"));
EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
}
+
+
+TEST(HTTP_Auth, DogFood)
+{
+ const auto add_field = [] (http::http_request_info& request, http::http_client_auth& client)
+ {
+ auto field = client.get_auth_field(request.m_http_method_str, request.m_URI);
+ EXPECT_TRUE(bool(field));
+ if (!field)
+ return false;
+ request.m_header_info.m_etc_fields.push_back(std::move(*field));
+ return true;
+ };
+
+ const http::login user{"some_user", "ultimate password"};
+
+ http::http_server_auth server{user};
+ http::http_client_auth client{user};
+
+ http::http_request_info request{};
+ request.m_http_method_str = "GET";
+ request.m_URI = "/FOO";
+
+ const auto response = server.get_response(request);
+ ASSERT_TRUE(bool(response));
+ EXPECT_TRUE(is_unauthorized(*response));
+
+ EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response));
+ EXPECT_TRUE(add_field(request, client));
+ EXPECT_FALSE(bool(server.get_response(request)));
+
+ for (unsigned i = 0; i < 1000; ++i)
+ {
+ request.m_http_method_str += std::to_string(i);
+ request.m_header_info.m_etc_fields.clear();
+ EXPECT_TRUE(add_field(request, client));
+ EXPECT_FALSE(bool(server.get_response(request)));
+ }
+
+ // resetting counter should be rejected by server
+ request.m_header_info.m_etc_fields.clear();
+ client = http::http_client_auth{user};
+ EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response));
+ EXPECT_TRUE(add_field(request, client));
+
+ const auto response2 = server.get_response(request);
+ ASSERT_TRUE(bool(response2));
+ EXPECT_TRUE(is_unauthorized(*response2));
+
+ const auth_responses parsed1 = parse_response(*response);
+ const auth_responses parsed2 = parse_response(*response2);
+ ASSERT_LE(1u, parsed1.size());
+ ASSERT_LE(1u, parsed2.size());
+ EXPECT_NE(parsed1[0].at(u8"nonce"), parsed2[0].at(u8"nonce"));
+
+ // with stale=true client should reset
+ request.m_header_info.m_etc_fields.clear();
+ EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response2));
+ EXPECT_TRUE(add_field(request, client));
+ EXPECT_FALSE(bool(server.get_response(request)));
+
+ // client should give up if stale=false
+ EXPECT_EQ(http::http_client_auth::kBadPassword, client.handle_401(*response));
+}
+
+TEST(HTTP_Client_Auth, Unavailable)
+{
+ http::http_client_auth auth{};
+ EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(http::http_response_info{}));
+ EXPECT_FALSE(bool(auth.get_auth_field("GET", "/file")));
+}
+
+TEST(HTTP_Client_Auth, MissingAuthenticate)
+{
+ http::http_client_auth auth{{"foo", "bar"}};
+ EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(http::http_response_info{}));
+ EXPECT_FALSE(bool(auth.get_auth_field("POST", "/\xFFname")));
+ {
+ http::http_response_info response{};
+ response.m_additional_fields.push_back({"\xFF", "\xFF"});
+ EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(response));
+ }
+ EXPECT_FALSE(bool(auth.get_auth_field("DELETE", "/file/does/not/exist")));
+}
+
+TEST(HTTP_Client_Auth, BadSyntax)
+{
+ http::http_client_auth auth{{"foo", "bar"}};
+ EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"realm", "fo\xFF"}}})));
+ EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"domain", "fo\xFF"}}})));
+ EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce", "fo\xFF"}}})));
+ EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce \xFF =", "fo\xFF"}}})));
+ EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8" \xFF nonce", "fo\xFF"}}})));
+}
+
+TEST(HTTP_Client_Auth, MD5)
+{
+ constexpr char method[] = "NOP";
+ constexpr char nonce[] = "some crazy nonce";
+ constexpr char realm[] = "the only realm";
+ constexpr char uri[] = "/some_file";
+
+ const http::login user{"foo", "bar"};
+ http::http_client_auth auth{user};
+
+ auto response = make_response({
+ {
+ {u8"domain", quoted("ignored")},
+ {u8"nonce", quoted(nonce)},
+ {u8"REALM", quoted(realm)}
+ },
+ {
+ {u8"algorithm", "null"},
+ {u8"domain", quoted("ignored")},
+ {u8"nonce", quoted(std::string{"e"} + nonce)},
+ {u8"realm", quoted(std::string{"e"} + realm)}
+ },
+ });
+
+ EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
+ const auto auth_field = auth.get_auth_field(method, uri);
+ ASSERT_TRUE(bool(auth_field));
+
+ const auto parsed = parse_fields(auth_field->second);
+ EXPECT_STREQ(u8"Authorization", auth_field->first.c_str());
+ EXPECT_EQ(parsed.end(), parsed.find(u8"opaque"));
+ EXPECT_EQ(parsed.end(), parsed.find(u8"qop"));
+ EXPECT_EQ(parsed.end(), parsed.find(u8"nc"));
+ EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str());
+ EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str());
+ EXPECT_STREQ(uri, parsed.at(u8"uri").c_str());
+ EXPECT_EQ(user.username, parsed.at(u8"username"));
+ EXPECT_STREQ(realm, parsed.at(u8"realm").c_str());
+
+ const std::string a1 = get_a1(user, parsed);
+ const std::string a2 = get_a2(uri);
+ const std::string auth_code = md5_hex(
+ boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
+ );
+ EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response")));
+ {
+ const auto auth_field_dup = auth.get_auth_field(method, uri);
+ ASSERT_TRUE(bool(auth_field_dup));
+ EXPECT_EQ(*auth_field, *auth_field_dup);
+ }
+
+
+ EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(response));
+ response.m_additional_fields.front().second.append(u8"," + write_fields({{u8"stale", u8"TRUE"}}));
+ EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
+}
+
+TEST(HTTP_Client_Auth, MD5_auth)
+{
+ constexpr char cnonce[] = "";
+ constexpr char method[] = "NOP";
+ constexpr char nonce[] = "some crazy nonce";
+ constexpr char opaque[] = "this is the opaque";
+ constexpr char qop[] = u8"ignore,auth,ignore";
+ constexpr char realm[] = "the only realm";
+ constexpr char uri[] = "/some_file";
+
+ const http::login user{"foo", "bar"};
+ http::http_client_auth auth{user};
+
+ auto response = make_response({
+ {
+ {u8"algorithm", u8"MD5"},
+ {u8"domain", quoted("ignored")},
+ {u8"nonce", quoted(std::string{"e"} + nonce)},
+ {u8"realm", quoted(std::string{"e"} + realm)},
+ {u8"qop", quoted("some,thing,to,ignore")}
+ },
+ {
+ {u8"algorIthm", quoted(u8"md5")},
+ {u8"domain", quoted("ignored")},
+ {u8"noNce", quoted(nonce)},
+ {u8"opaque", quoted(opaque)},
+ {u8"realm", quoted(realm)},
+ {u8"QoP", quoted(qop)}
+ }
+ });
+
+ EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
+
+ for (unsigned i = 1; i < 1000; ++i)
+ {
+ const std::string nc = get_nc(i);
+
+ const auto auth_field = auth.get_auth_field(method, uri);
+ ASSERT_TRUE(bool(auth_field));
+
+ const auto parsed = parse_fields(auth_field->second);
+ EXPECT_STREQ(u8"Authorization", auth_field->first.c_str());
+ EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str());
+ EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str());
+ EXPECT_STREQ(opaque, parsed.at(u8"opaque").c_str());
+ EXPECT_STREQ(u8"auth", parsed.at(u8"qop").c_str());
+ EXPECT_STREQ(uri, parsed.at(u8"uri").c_str());
+ EXPECT_EQ(user.username, parsed.at(u8"username"));
+ EXPECT_STREQ(realm, parsed.at(u8"realm").c_str());
+ EXPECT_EQ(nc, parsed.at(u8"nc"));
+
+ const std::string a1 = get_a1(user, parsed);
+ const std::string a2 = get_a2(uri);
+ const std::string auth_code = md5_hex(
+ boost::join(std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, u8"auth", md5_hex(a2)}, u8":")
+ );
+ EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response")));
+ }
+
+ EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(response));
+ response.m_additional_fields.back().second.append(u8"," + write_fields({{u8"stale", u8"trUe"}}));
+ EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
+}
+