diff options
author | Lee Clagett <code@leeclagett.com> | 2016-12-30 01:47:57 -0500 |
---|---|---|
committer | Lee Clagett <code@leeclagett.com> | 2017-01-11 03:21:17 -0500 |
commit | d81cb0870442a919388df181d2134535bc6d1425 (patch) | |
tree | 8f6560acdf3d463fa087f0c55fc057b35ae9126e /tests | |
parent | Merge pull request #1542 (diff) | |
download | monero-d81cb0870442a919388df181d2134535bc6d1425.tar.xz |
Added (not yet enabled) HTTP client authentication
Diffstat (limited to 'tests')
-rw-r--r-- | tests/unit_tests/http_auth.cpp | 351 |
1 files changed, 302 insertions, 49 deletions
diff --git a/tests/unit_tests/http_auth.cpp b/tests/unit_tests/http_auth.cpp index 7158850b6..97954642f 100644 --- a/tests/unit_tests/http_auth.cpp +++ b/tests/unit_tests/http_auth.cpp @@ -61,6 +61,7 @@ #include "string_tools.h" namespace { +namespace http = epee::net_utils::http; using fields = std::unordered_map<std::string, std::string>; using auth_responses = std::vector<fields>; @@ -71,17 +72,28 @@ std::string quoted(std::string str) return str; } -epee::net_utils::http::http_request_info make_request(const fields& args) +void write_fields(std::string& out, const fields& args) { namespace karma = boost::spirit::karma; - - std::string out{" DIGEST "}; karma::generate( std::back_inserter(out), (karma::string << " = " << karma::string) % " , ", args); +} + +std::string write_fields(const fields& args) +{ + std::string out{}; + write_fields(out, args); + return out; +} - epee::net_utils::http::http_request_info request{}; +http::http_request_info make_request(const fields& args) +{ + std::string out{" DIGEST "}; + write_fields(out, args); + + http::http_request_info request{}; request.m_http_method_str = "NOP"; request.m_header_info.m_etc_fields.push_back( std::make_pair(u8"authorization", std::move(out)) @@ -89,6 +101,21 @@ epee::net_utils::http::http_request_info make_request(const fields& args) return request; } +http::http_response_info make_response(const auth_responses& choices) +{ + http::http_response_info response{}; + for (const auto& choice : choices) + { + std::string out{" DIGEST "}; + write_fields(out, choice); + + response.m_additional_fields.push_back( + std::make_pair(u8"WWW-authenticate", std::move(out)) + ); + } + return response; +} + bool has_same_fields(const auth_responses& in) { const std::vector<std::string> check{u8"nonce", u8"qop", u8"realm", u8"stale"}; @@ -113,7 +140,7 @@ bool has_same_fields(const auth_responses& in) return true; } -bool is_unauthorized(const epee::net_utils::http::http_response_info& response) +bool is_unauthorized(const http::http_response_info& response) { EXPECT_EQ(401, response.m_response_code); EXPECT_STREQ(u8"Unauthorized", response.m_response_comment.c_str()); @@ -123,39 +150,44 @@ bool is_unauthorized(const epee::net_utils::http::http_response_info& response) response.m_mime_tipe == u8"text/html"; } - -auth_responses parse_response(const epee::net_utils::http::http_response_info& response) +fields parse_fields(const std::string& value) { namespace qi = boost::spirit::qi; + fields out{}; + const bool rc = qi::parse( + value.begin(), value.end(), + qi::lit(u8"Digest ") >> (( + +qi::ascii::alpha >> + qi::lit('=') >> ( + (qi::lit('"') >> +(qi::ascii::char_ - '"') >> qi::lit('"')) | + +(qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}")) + ) + ) % ',' + ) >> qi::eoi, + out + ); + if (!rc) + throw std::runtime_error{"Bad field given in HTTP header"}; + + return out; +} + +auth_responses parse_response(const http::http_response_info& response) +{ auth_responses result{}; const auto end = response.m_additional_fields.end(); - for (auto current = response.m_additional_fields.begin(); current != end; ++current) + for (auto current = response.m_additional_fields.begin();; ++current) { current = std::find_if(current, end, [] (const std::pair<std::string, std::string>& field) { - return boost::iequals(u8"www-authenticate", field.first); + return boost::equals(u8"WWW-authenticate", field.first); }); if (current == end) return result; - std::unordered_map<std::string, std::string> fields{}; - const bool rc = qi::parse( - current->second.begin(), current->second.end(), - qi::lit(u8"Digest ") >> (( - +qi::ascii::alpha >> - qi::lit('=') >> ( - (qi::lit('"') >> +(qi::ascii::char_ - '"') >> qi::lit('"')) | - +(qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}")) - ) - ) % ',' - ) >> qi::eoi, - fields - ); - - if (rc) - result.push_back(std::move(fields)); + result.push_back(parse_fields(current->second)); } return result; } @@ -175,15 +207,20 @@ std::string md5_hex(const std::string& in) return epee::string_tools::pod_to_hex(digest); } -std::string get_a1(const epee::net_utils::http::http_auth::login& user, const auth_responses& responses) +std::string get_a1(const http::login& user, const fields& src) { - const std::string& realm = responses.at(0).at(u8"realm"); + const std::string& realm = src.at(u8"realm"); return boost::join( std::vector<std::string>{user.username, realm, user.password}, u8":" ); } -std::string get_a1_sess(const epee::net_utils::http::http_auth::login& user, const std::string& cnonce, const auth_responses& responses) +std::string get_a1(const http::login& user, const auth_responses& responses) +{ + return get_a1(user, responses.at(0)); +} + +std::string get_a1_sess(const http::login& user, const std::string& cnonce, const auth_responses& responses) { const std::string& nonce = responses.at(0).at(u8"nonce"); return boost::join( @@ -210,36 +247,36 @@ std::string get_nc(std::uint32_t count) } } -TEST(HTTP_Auth, NotRequired) +TEST(HTTP_Server_Auth, NotRequired) { - epee::net_utils::http::http_auth auth{}; - EXPECT_FALSE(auth.get_response(epee::net_utils::http::http_request_info{})); + http::http_server_auth auth{}; + EXPECT_FALSE(auth.get_response(http::http_request_info{})); } -TEST(HTTP_Auth, MissingAuth) +TEST(HTTP_Server_Auth, MissingAuth) { - epee::net_utils::http::http_auth auth{{"foo", "bar"}}; - EXPECT_TRUE(bool(auth.get_response(epee::net_utils::http::http_request_info{}))); + http::http_server_auth auth{{"foo", "bar"}}; + EXPECT_TRUE(bool(auth.get_response(http::http_request_info{}))); { - epee::net_utils::http::http_request_info request{}; + http::http_request_info request{}; request.m_header_info.m_etc_fields.push_back({"\xFF", "\xFF"}); EXPECT_TRUE(bool(auth.get_response(request))); } } -TEST(HTTP_Auth, BadSyntax) +TEST(HTTP_Server_Auth, BadSyntax) { - epee::net_utils::http::http_auth auth{{"foo", "bar"}}; + http::http_server_auth auth{{"foo", "bar"}}; EXPECT_TRUE(bool(auth.get_response(make_request({{u8"algorithm", "fo\xFF"}})))); EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce", "\"000\xFF\""}})))); EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce \xFF =", "\"000\xFF\""}})))); EXPECT_TRUE(bool(auth.get_response(make_request({{u8" \xFF cnonce", "\"000\xFF\""}})))); } -TEST(HTTP_Auth, MD5) +TEST(HTTP_Server_Auth, MD5) { - epee::net_utils::http::http_auth::login user{"foo", "bar"}; - epee::net_utils::http::http_auth auth{user}; + http::login user{"foo", "bar"}; + http::http_server_auth auth{user}; const auto response = auth.get_response(make_request(fields{})); ASSERT_TRUE(bool(response)); @@ -283,12 +320,12 @@ TEST(HTTP_Auth, MD5) EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str()); } -TEST(HTTP_Auth, MD5_sess) +TEST(HTTP_Server_Auth, MD5_sess) { constexpr const char cnonce[] = "not a good cnonce"; - epee::net_utils::http::http_auth::login user{"foo", "bar"}; - epee::net_utils::http::http_auth auth{user}; + http::login user{"foo", "bar"}; + http::http_server_auth auth{user}; const auto response = auth.get_response(make_request(fields{})); ASSERT_TRUE(bool(response)); @@ -334,13 +371,13 @@ TEST(HTTP_Auth, MD5_sess) EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str()); } -TEST(HTTP_Auth, MD5_auth) +TEST(HTTP_Server_Auth, MD5_auth) { constexpr const char cnonce[] = "not a nonce"; constexpr const char qop[] = "auth"; - epee::net_utils::http::http_auth::login user{"foo", "bar"}; - epee::net_utils::http::http_auth auth{user}; + http::login user{"foo", "bar"}; + http::http_server_auth auth{user}; const auto response = auth.get_response(make_request(fields{})); ASSERT_TRUE(bool(response)); @@ -402,13 +439,13 @@ TEST(HTTP_Auth, MD5_auth) EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str()); } -TEST(HTTP_Auth, MD5_sess_auth) +TEST(HTTP_Server_Auth, MD5_sess_auth) { constexpr const char cnonce[] = "not a nonce"; constexpr const char qop[] = "auth"; - epee::net_utils::http::http_auth::login user{"foo", "bar"}; - epee::net_utils::http::http_auth auth{user}; + http::login user{"foo", "bar"}; + http::http_server_auth auth{user}; const auto response = auth.get_response(make_request(fields{})); ASSERT_TRUE(bool(response)); @@ -469,3 +506,219 @@ TEST(HTTP_Auth, MD5_sess_auth) EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce")); EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str()); } + + +TEST(HTTP_Auth, DogFood) +{ + const auto add_field = [] (http::http_request_info& request, http::http_client_auth& client) + { + auto field = client.get_auth_field(request.m_http_method_str, request.m_URI); + EXPECT_TRUE(bool(field)); + if (!field) + return false; + request.m_header_info.m_etc_fields.push_back(std::move(*field)); + return true; + }; + + const http::login user{"some_user", "ultimate password"}; + + http::http_server_auth server{user}; + http::http_client_auth client{user}; + + http::http_request_info request{}; + request.m_http_method_str = "GET"; + request.m_URI = "/FOO"; + + const auto response = server.get_response(request); + ASSERT_TRUE(bool(response)); + EXPECT_TRUE(is_unauthorized(*response)); + + EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response)); + EXPECT_TRUE(add_field(request, client)); + EXPECT_FALSE(bool(server.get_response(request))); + + for (unsigned i = 0; i < 1000; ++i) + { + request.m_http_method_str += std::to_string(i); + request.m_header_info.m_etc_fields.clear(); + EXPECT_TRUE(add_field(request, client)); + EXPECT_FALSE(bool(server.get_response(request))); + } + + // resetting counter should be rejected by server + request.m_header_info.m_etc_fields.clear(); + client = http::http_client_auth{user}; + EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response)); + EXPECT_TRUE(add_field(request, client)); + + const auto response2 = server.get_response(request); + ASSERT_TRUE(bool(response2)); + EXPECT_TRUE(is_unauthorized(*response2)); + + const auth_responses parsed1 = parse_response(*response); + const auth_responses parsed2 = parse_response(*response2); + ASSERT_LE(1u, parsed1.size()); + ASSERT_LE(1u, parsed2.size()); + EXPECT_NE(parsed1[0].at(u8"nonce"), parsed2[0].at(u8"nonce")); + + // with stale=true client should reset + request.m_header_info.m_etc_fields.clear(); + EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response2)); + EXPECT_TRUE(add_field(request, client)); + EXPECT_FALSE(bool(server.get_response(request))); + + // client should give up if stale=false + EXPECT_EQ(http::http_client_auth::kBadPassword, client.handle_401(*response)); +} + +TEST(HTTP_Client_Auth, Unavailable) +{ + http::http_client_auth auth{}; + EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(http::http_response_info{})); + EXPECT_FALSE(bool(auth.get_auth_field("GET", "/file"))); +} + +TEST(HTTP_Client_Auth, MissingAuthenticate) +{ + http::http_client_auth auth{{"foo", "bar"}}; + EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(http::http_response_info{})); + EXPECT_FALSE(bool(auth.get_auth_field("POST", "/\xFFname"))); + { + http::http_response_info response{}; + response.m_additional_fields.push_back({"\xFF", "\xFF"}); + EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(response)); + } + EXPECT_FALSE(bool(auth.get_auth_field("DELETE", "/file/does/not/exist"))); +} + +TEST(HTTP_Client_Auth, BadSyntax) +{ + http::http_client_auth auth{{"foo", "bar"}}; + EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"realm", "fo\xFF"}}}))); + EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"domain", "fo\xFF"}}}))); + EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce", "fo\xFF"}}}))); + EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce \xFF =", "fo\xFF"}}}))); + EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8" \xFF nonce", "fo\xFF"}}}))); +} + +TEST(HTTP_Client_Auth, MD5) +{ + constexpr char method[] = "NOP"; + constexpr char nonce[] = "some crazy nonce"; + constexpr char realm[] = "the only realm"; + constexpr char uri[] = "/some_file"; + + const http::login user{"foo", "bar"}; + http::http_client_auth auth{user}; + + auto response = make_response({ + { + {u8"domain", quoted("ignored")}, + {u8"nonce", quoted(nonce)}, + {u8"REALM", quoted(realm)} + }, + { + {u8"algorithm", "null"}, + {u8"domain", quoted("ignored")}, + {u8"nonce", quoted(std::string{"e"} + nonce)}, + {u8"realm", quoted(std::string{"e"} + realm)} + }, + }); + + EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response)); + const auto auth_field = auth.get_auth_field(method, uri); + ASSERT_TRUE(bool(auth_field)); + + const auto parsed = parse_fields(auth_field->second); + EXPECT_STREQ(u8"Authorization", auth_field->first.c_str()); + EXPECT_EQ(parsed.end(), parsed.find(u8"opaque")); + EXPECT_EQ(parsed.end(), parsed.find(u8"qop")); + EXPECT_EQ(parsed.end(), parsed.find(u8"nc")); + EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str()); + EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str()); + EXPECT_STREQ(uri, parsed.at(u8"uri").c_str()); + EXPECT_EQ(user.username, parsed.at(u8"username")); + EXPECT_STREQ(realm, parsed.at(u8"realm").c_str()); + + const std::string a1 = get_a1(user, parsed); + const std::string a2 = get_a2(uri); + const std::string auth_code = md5_hex( + boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":") + ); + EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response"))); + { + const auto auth_field_dup = auth.get_auth_field(method, uri); + ASSERT_TRUE(bool(auth_field_dup)); + EXPECT_EQ(*auth_field, *auth_field_dup); + } + + + EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(response)); + response.m_additional_fields.front().second.append(u8"," + write_fields({{u8"stale", u8"TRUE"}})); + EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response)); +} + +TEST(HTTP_Client_Auth, MD5_auth) +{ + constexpr char cnonce[] = ""; + constexpr char method[] = "NOP"; + constexpr char nonce[] = "some crazy nonce"; + constexpr char opaque[] = "this is the opaque"; + constexpr char qop[] = u8"ignore,auth,ignore"; + constexpr char realm[] = "the only realm"; + constexpr char uri[] = "/some_file"; + + const http::login user{"foo", "bar"}; + http::http_client_auth auth{user}; + + auto response = make_response({ + { + {u8"algorithm", u8"MD5"}, + {u8"domain", quoted("ignored")}, + {u8"nonce", quoted(std::string{"e"} + nonce)}, + {u8"realm", quoted(std::string{"e"} + realm)}, + {u8"qop", quoted("some,thing,to,ignore")} + }, + { + {u8"algorIthm", quoted(u8"md5")}, + {u8"domain", quoted("ignored")}, + {u8"noNce", quoted(nonce)}, + {u8"opaque", quoted(opaque)}, + {u8"realm", quoted(realm)}, + {u8"QoP", quoted(qop)} + } + }); + + EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response)); + + for (unsigned i = 1; i < 1000; ++i) + { + const std::string nc = get_nc(i); + + const auto auth_field = auth.get_auth_field(method, uri); + ASSERT_TRUE(bool(auth_field)); + + const auto parsed = parse_fields(auth_field->second); + EXPECT_STREQ(u8"Authorization", auth_field->first.c_str()); + EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str()); + EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str()); + EXPECT_STREQ(opaque, parsed.at(u8"opaque").c_str()); + EXPECT_STREQ(u8"auth", parsed.at(u8"qop").c_str()); + EXPECT_STREQ(uri, parsed.at(u8"uri").c_str()); + EXPECT_EQ(user.username, parsed.at(u8"username")); + EXPECT_STREQ(realm, parsed.at(u8"realm").c_str()); + EXPECT_EQ(nc, parsed.at(u8"nc")); + + const std::string a1 = get_a1(user, parsed); + const std::string a2 = get_a2(uri); + const std::string auth_code = md5_hex( + boost::join(std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, u8"auth", md5_hex(a2)}, u8":") + ); + EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response"))); + } + + EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(response)); + response.m_additional_fields.back().second.append(u8"," + write_fields({{u8"stale", u8"trUe"}})); + EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response)); +} + |