Electroneum
Loading...
Searching...
No Matches
http.cpp
Go to the documentation of this file.
1// Copyrights(c) 2017-2021, The Electroneum Project
2// Copyrights(c) 2014-2019, The Monero Project
3//
4// All rights reserved.
5//
6// Redistribution and use in source and binary forms, with or without modification, are
7// permitted provided that the following conditions are met:
8//
9// 1. Redistributions of source code must retain the above copyright notice, this list of
10// conditions and the following disclaimer.
11//
12// 2. Redistributions in binary form must reproduce the above copyright notice, this list
13// of conditions and the following disclaimer in the documentation and/or other
14// materials provided with the distribution.
15//
16// 3. Neither the name of the copyright holder nor the names of its contributors may be
17// used to endorse or promote products derived from this software without specific
18// prior written permission.
19//
20// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
21// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
22// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
23// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
28// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30#include "gtest/gtest.h"
31#include "net/http_auth.h"
32
33#include <boost/algorithm/string/predicate.hpp>
34#include <boost/algorithm/string/join.hpp>
35#include <boost/fusion/adapted/std_pair.hpp>
36#include <boost/range/algorithm/find_if.hpp>
37#include <boost/range/iterator_range_core.hpp>
38#include <boost/spirit/include/karma_char.hpp>
39#include <boost/spirit/include/karma_list.hpp>
40#include <boost/spirit/include/karma_generate.hpp>
41#include <boost/spirit/include/karma_right_alignment.hpp>
42#include <boost/spirit/include/karma_sequence.hpp>
43#include <boost/spirit/include/karma_string.hpp>
44#include <boost/spirit/include/karma_uint.hpp>
45#include <boost/spirit/include/qi_alternative.hpp>
46#include <boost/spirit/include/qi_char.hpp>
47#include <boost/spirit/include/qi_char_class.hpp>
48#include <boost/spirit/include/qi_difference.hpp>
49#include <boost/spirit/include/qi_eoi.hpp>
50#include <boost/spirit/include/qi_list.hpp>
51#include <boost/spirit/include/qi_parse.hpp>
52#include <boost/spirit/include/qi_plus.hpp>
53#include <boost/spirit/include/qi_sequence.hpp>
54#include <boost/spirit/include/qi_string.hpp>
55#include <cstdint>
56#include <iterator>
57#include <string>
58#include <unordered_map>
59#include <utility>
60#include <vector>
61
62#include "md5_l.h"
63#include "string_tools.h"
64#include "crypto/crypto.h"
65
66namespace {
67namespace http = epee::net_utils::http;
68using fields = std::unordered_map<std::string, std::string>;
69using auth_responses = std::vector<fields>;
70
71void rng(size_t len, uint8_t *ptr)
72{
73 crypto::rand(len, ptr);
74}
75
76std::string quoted(std::string str)
77{
78 str.insert(str.begin(), '"');
79 str.push_back('"');
80 return str;
81}
82
83void write_fields(std::string& out, const fields& args)
84{
85 namespace karma = boost::spirit::karma;
86 karma::generate(
87 std::back_inserter(out),
88 (karma::string << " = " << karma::string) % " , ",
89 args);
90}
91
92std::string write_fields(const fields& args)
93{
94 std::string out{};
95 write_fields(out, args);
96 return out;
97}
98
99http::http_request_info make_request(const fields& args)
100{
101 std::string out{" DIGEST "};
102 write_fields(out, args);
103
104 http::http_request_info request{};
105 request.m_http_method_str = "NOP";
106 request.m_header_info.m_etc_fields.push_back(
107 std::make_pair(u8"authorization", std::move(out))
108 );
109 return request;
110}
111
112http::http_response_info make_response(const auth_responses& choices)
113{
114 http::http_response_info response{};
115 for (const auto& choice : choices)
116 {
117 std::string out{" DIGEST "};
118 write_fields(out, choice);
119
120 response.m_header_info.m_etc_fields.push_back(
121 std::make_pair(u8"WWW-authenticate", std::move(out))
122 );
123 }
124 return response;
125}
126
127bool has_same_fields(const auth_responses& in)
128{
129 const std::vector<std::string> check{u8"nonce", u8"qop", u8"realm", u8"stale"};
130
131 auto current = in.begin();
132 const auto end = in.end();
133 if (current == end)
134 return true;
135
136 ++current;
137 for ( ; current != end; ++current )
138 {
139 for (const auto& field : check)
140 {
141 const std::string& expected = in[0].at(field);
142 const std::string& actual = current->at(field);
143 EXPECT_EQ(expected, actual);
144 if (expected != actual)
145 return false;
146 }
147 }
148 return true;
149}
150
151bool is_unauthorized(const http::http_response_info& response)
152{
153 EXPECT_EQ(401, response.m_response_code);
154 EXPECT_STREQ(u8"Unauthorized", response.m_response_comment.c_str());
155 EXPECT_STREQ(u8"text/html", response.m_mime_tipe.c_str());
156 return response.m_response_code == 401 &&
157 response.m_response_comment == u8"Unauthorized" &&
158 response.m_mime_tipe == u8"text/html";
159}
160
161fields parse_fields(const std::string& value)
162{
163 namespace qi = boost::spirit::qi;
164
165 fields out{};
166 const bool rc = qi::parse(
167 value.begin(), value.end(),
168 qi::lit(u8"Digest ") >> ((
169 +qi::ascii::alpha >>
170 qi::lit('=') >> (
171 (qi::lit('"') >> +(qi::ascii::char_ - '"') >> qi::lit('"')) |
172 +(qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}"))
173 )
174 ) % ','
175 ) >> qi::eoi,
176 out
177 );
178 if (!rc)
179 throw std::runtime_error{"Bad field given in HTTP header"};
180
181 return out;
182}
183
184auth_responses parse_response(const http::http_response_info& response)
185{
186 auth_responses result{};
187
188 const auto end = response.m_additional_fields.end();
189 for (auto current = response.m_additional_fields.begin();; ++current)
190 {
191 current = std::find_if(current, end, [] (const std::pair<std::string, std::string>& field) {
192 return boost::equals(u8"WWW-authenticate", field.first);
193 });
194
195 if (current == end)
196 return result;
197
198 result.push_back(parse_fields(current->second));
199 }
200 return result;
201}
202
203std::string md5_hex(const std::string& in)
204{
205 md5::MD5_CTX ctx{};
206 md5::MD5Init(std::addressof(ctx));
207 md5::MD5Update(
208 std::addressof(ctx),
209 reinterpret_cast<const std::uint8_t*>(in.data()),
210 in.size()
211 );
212
213 std::array<std::uint8_t, 16> digest{{}};
214 md5::MD5Final(digest.data(), std::addressof(ctx));
215 return epee::string_tools::pod_to_hex(digest);
216}
217
218std::string get_a1(const http::login& user, const fields& src)
219{
220 const std::string& realm = src.at(u8"realm");
221 return boost::join(
222 std::vector<std::string>{user.username, realm, std::string(user.password.data(), user.password.size())}, u8":"
223 );
224}
225
226std::string get_a1(const http::login& user, const auth_responses& responses)
227{
228 return get_a1(user, responses.at(0));
229}
230
231std::string get_a1_sess(const http::login& user, const std::string& cnonce, const auth_responses& responses)
232{
233 const std::string& nonce = responses.at(0).at(u8"nonce");
234 return boost::join(
235 std::vector<std::string>{md5_hex(get_a1(user, responses)), nonce, cnonce}, u8":"
236 );
237}
238
239std::string get_a2(const std::string& uri)
240{
241 return boost::join(std::vector<std::string>{"NOP", uri}, u8":");
242}
243
244std::string get_nc(std::uint32_t count)
245{
246 namespace karma = boost::spirit::karma;
247 std::string out;
248 karma::generate(
249 std::back_inserter(out),
250 karma::right_align(8, '0')[karma::uint_generator<std::uint32_t, 16>{}],
251 count
252 );
253
254 return out;
255}
256}
257
258TEST(HTTP_Server_Auth, NotRequired)
259{
260 http::http_server_auth auth{}; // no rng here
261 EXPECT_FALSE(auth.get_response(http::http_request_info{}));
262}
263
264TEST(HTTP_Server_Auth, MissingAuth)
265{
266 http::http_server_auth auth{{"foo", "bar"}, rng};
267 EXPECT_TRUE(bool(auth.get_response(http::http_request_info{})));
268 {
269 http::http_request_info request{};
270 request.m_header_info.m_etc_fields.push_back({"\xFF", "\xFF"});
271 EXPECT_TRUE(bool(auth.get_response(request)));
272 }
273}
274
275TEST(HTTP_Server_Auth, BadSyntax)
276{
277 http::http_server_auth auth{{"foo", "bar"}, rng};
278 EXPECT_TRUE(bool(auth.get_response(make_request({{u8"algorithm", "fo\xFF"}}))));
279 EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce", "\"000\xFF\""}}))));
280 EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce \xFF =", "\"000\xFF\""}}))));
281 EXPECT_TRUE(bool(auth.get_response(make_request({{u8" \xFF cnonce", "\"000\xFF\""}}))));
282}
283
284TEST(HTTP_Server_Auth, MD5)
285{
286 http::login user{"foo", "bar"};
287 http::http_server_auth auth{user, rng};
288
289 const auto response = auth.get_response(make_request(fields{}));
290 ASSERT_TRUE(bool(response));
291 EXPECT_TRUE(is_unauthorized(*response));
292
293 const auto fields = parse_response(*response);
294 ASSERT_LE(2u, fields.size());
295 EXPECT_TRUE(has_same_fields(fields));
296
297 const std::string& nonce = fields[0].at(u8"nonce");
298 EXPECT_EQ(24, nonce.size());
299
300 const std::string uri{"/some_foo_thing"};
301
302 const std::string a1 = get_a1(user, fields);
303 const std::string a2 = get_a2(uri);
304
305 const std::string auth_code = md5_hex(
306 boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
307 );
308
309 const auto request = make_request({
310 {u8"nonce", quoted(nonce)},
311 {u8"realm", quoted(fields[0].at(u8"realm"))},
312 {u8"response", quoted(auth_code)},
313 {u8"uri", quoted(uri)},
314 {u8"username", quoted(user.username)}
315 });
316
317 EXPECT_FALSE(bool(auth.get_response(request)));
318
319 const auto response2 = auth.get_response(request);
320 ASSERT_TRUE(bool(response2));
321 EXPECT_TRUE(is_unauthorized(*response2));
322
323 const auto fields2 = parse_response(*response2);
324 ASSERT_LE(2u, fields2.size());
325 EXPECT_TRUE(has_same_fields(fields2));
326
327 EXPECT_NE(nonce, fields2[0].at(u8"nonce"));
328 EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
329}
330
331TEST(HTTP_Server_Auth, MD5_sess)
332{
333 constexpr const char cnonce[] = "not a good cnonce";
334
335 http::login user{"foo", "bar"};
336 http::http_server_auth auth{user, rng};
337
338 const auto response = auth.get_response(make_request(fields{}));
339 ASSERT_TRUE(bool(response));
340 EXPECT_TRUE(is_unauthorized(*response));
341
342 const auto fields = parse_response(*response);
343 ASSERT_LE(2u, fields.size());
344 EXPECT_TRUE(has_same_fields(fields));
345
346 const std::string& nonce = fields[0].at(u8"nonce");
347 EXPECT_EQ(24, nonce.size());
348
349 const std::string uri{"/some_foo_thing"};
350
351 const std::string a1 = get_a1_sess(user, cnonce, fields);
352 const std::string a2 = get_a2(uri);
353
354 const std::string auth_code = md5_hex(
355 boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
356 );
357
358 const auto request = make_request({
359 {u8"algorithm", u8"md5-sess"},
360 {u8"cnonce", quoted(cnonce)},
361 {u8"nonce", quoted(nonce)},
362 {u8"realm", quoted(fields[0].at(u8"realm"))},
363 {u8"response", quoted(auth_code)},
364 {u8"uri", quoted(uri)},
365 {u8"username", quoted(user.username)}
366 });
367
368 EXPECT_FALSE(bool(auth.get_response(request)));
369
370 const auto response2 = auth.get_response(request);
371 ASSERT_TRUE(bool(response2));
372 EXPECT_TRUE(is_unauthorized(*response2));
373
374 const auto fields2 = parse_response(*response2);
375 ASSERT_LE(2u, fields2.size());
376 EXPECT_TRUE(has_same_fields(fields2));
377
378 EXPECT_NE(nonce, fields2[0].at(u8"nonce"));
379 EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
380}
381
382TEST(HTTP_Server_Auth, MD5_auth)
383{
384 constexpr const char cnonce[] = "not a nonce";
385 constexpr const char qop[] = "auth";
386
387 http::login user{"foo", "bar"};
388 http::http_server_auth auth{user, rng};
389
390 const auto response = auth.get_response(make_request(fields{}));
391 ASSERT_TRUE(bool(response));
392 EXPECT_TRUE(is_unauthorized(*response));
393
394 const auto parsed = parse_response(*response);
395 ASSERT_LE(2u, parsed.size());
396 EXPECT_TRUE(has_same_fields(parsed));
397
398 const std::string& nonce = parsed[0].at(u8"nonce");
399 EXPECT_EQ(24, nonce.size());
400
401 const std::string uri{"/some_foo_thing"};
402
403 const std::string a1 = get_a1(user, parsed);
404 const std::string a2 = get_a2(uri);
405 std::string nc = get_nc(1);
406
407 const auto generate_auth = [&] {
408 return md5_hex(
409 boost::join(
410 std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, qop, md5_hex(a2)}, u8":"
411 )
412 );
413 };
414
415 fields args{
416 {u8"algorithm", quoted(u8"md5")},
417 {u8"cnonce", quoted(cnonce)},
418 {u8"nc", nc},
419 {u8"nonce", quoted(nonce)},
420 {u8"qop", quoted(qop)},
421 {u8"realm", quoted(parsed[0].at(u8"realm"))},
422 {u8"response", quoted(generate_auth())},
423 {u8"uri", quoted(uri)},
424 {u8"username", quoted(user.username)}
425 };
426
427 const auto request = make_request(args);
428 EXPECT_FALSE(bool(auth.get_response(request)));
429
430 for (unsigned i = 2; i < 20; ++i)
431 {
432 nc = get_nc(i);
433 args.at(u8"nc") = nc;
434 args.at(u8"response") = quoted(generate_auth());
435 EXPECT_FALSE(auth.get_response(make_request(args)));
436 }
437
438 const auto replay = auth.get_response(request);
439 ASSERT_TRUE(bool(replay));
440 EXPECT_TRUE(is_unauthorized(*replay));
441
442 const auto parsed_replay = parse_response(*replay);
443 ASSERT_LE(2u, parsed_replay.size());
444 EXPECT_TRUE(has_same_fields(parsed_replay));
445
446 EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce"));
447 EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
448}
449
450TEST(HTTP_Server_Auth, MD5_sess_auth)
451{
452 constexpr const char cnonce[] = "not a nonce";
453 constexpr const char qop[] = "auth";
454
455 http::login user{"foo", "bar"};
456 http::http_server_auth auth{user, rng};
457
458 const auto response = auth.get_response(make_request(fields{}));
459 ASSERT_TRUE(bool(response));
460 EXPECT_TRUE(is_unauthorized(*response));
461
462 const auto parsed = parse_response(*response);
463 ASSERT_LE(2u, parsed.size());
464 EXPECT_TRUE(has_same_fields(parsed));
465
466 const std::string& nonce = parsed[0].at(u8"nonce");
467 EXPECT_EQ(24, nonce.size());
468
469 const std::string uri{"/some_foo_thing"};
470
471 const std::string a1 = get_a1_sess(user, cnonce, parsed);
472 const std::string a2 = get_a2(uri);
473 std::string nc = get_nc(1);
474
475 const auto generate_auth = [&] {
476 return md5_hex(
477 boost::join(
478 std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, qop, md5_hex(a2)}, u8":"
479 )
480 );
481 };
482
483 fields args{
484 {u8"algorithm", u8"md5-sess"},
485 {u8"cnonce", quoted(cnonce)},
486 {u8"nc", nc},
487 {u8"nonce", quoted(nonce)},
488 {u8"qop", qop},
489 {u8"realm", quoted(parsed[0].at(u8"realm"))},
490 {u8"response", quoted(generate_auth())},
491 {u8"uri", quoted(uri)},
492 {u8"username", quoted(user.username)}
493 };
494
495 const auto request = make_request(args);
496 EXPECT_FALSE(bool(auth.get_response(request)));
497
498 for (unsigned i = 2; i < 20; ++i)
499 {
500 nc = get_nc(i);
501 args.at(u8"nc") = nc;
502 args.at(u8"response") = quoted(generate_auth());
503 EXPECT_FALSE(auth.get_response(make_request(args)));
504 }
505
506 const auto replay = auth.get_response(request);
507 ASSERT_TRUE(bool(replay));
508 EXPECT_TRUE(is_unauthorized(*replay));
509
510 const auto parsed_replay = parse_response(*replay);
511 ASSERT_LE(2u, parsed_replay.size());
512 EXPECT_TRUE(has_same_fields(parsed_replay));
513
514 EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce"));
515 EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
516}
517
518
519TEST(HTTP_Auth, DogFood)
520{
521 const auto add_auth_field = [] (http::http_request_info& request, http::http_client_auth& client)
522 {
523 auto field = client.get_auth_field(request.m_http_method_str, request.m_URI);
524 EXPECT_TRUE(bool(field));
525 if (!field)
526 return false;
527 request.m_header_info.m_etc_fields.push_back(std::move(*field));
528 return true;
529 };
530
531 const http::login user{"some_user", "ultimate password"};
532
533 http::http_server_auth server{user, rng};
534 http::http_client_auth client{user};
535
536 http::http_request_info request{};
537 request.m_http_method_str = "GET";
538 request.m_URI = "/FOO";
539
540 auto response = server.get_response(request);
541 ASSERT_TRUE(bool(response));
542 EXPECT_TRUE(is_unauthorized(*response));
543 EXPECT_TRUE(response->m_header_info.m_etc_fields.empty());
544 response->m_header_info.m_etc_fields = response->m_additional_fields;
545
546 EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response));
547 EXPECT_TRUE(add_auth_field(request, client));
548 EXPECT_FALSE(bool(server.get_response(request)));
549
550 for (unsigned i = 0; i < 1000; ++i)
551 {
552 request.m_http_method_str += std::to_string(i);
553 request.m_header_info.m_etc_fields.clear();
554 EXPECT_TRUE(add_auth_field(request, client));
555 EXPECT_FALSE(bool(server.get_response(request)));
556 }
557
558 // resetting counter should be rejected by server
559 request.m_header_info.m_etc_fields.clear();
560 client = http::http_client_auth{user};
561 EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response));
562 EXPECT_TRUE(add_auth_field(request, client));
563
564 auto response2 = server.get_response(request);
565 ASSERT_TRUE(bool(response2));
566 EXPECT_TRUE(is_unauthorized(*response2));
567 EXPECT_TRUE(response2->m_header_info.m_etc_fields.empty());
568 response2->m_header_info.m_etc_fields = response2->m_additional_fields;
569
570 const auth_responses parsed1 = parse_response(*response);
571 const auth_responses parsed2 = parse_response(*response2);
572 ASSERT_LE(1u, parsed1.size());
573 ASSERT_LE(1u, parsed2.size());
574 EXPECT_NE(parsed1[0].at(u8"nonce"), parsed2[0].at(u8"nonce"));
575
576 // with stale=true client should reset
577 request.m_header_info.m_etc_fields.clear();
578 EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response2));
579 EXPECT_TRUE(add_auth_field(request, client));
580 EXPECT_FALSE(bool(server.get_response(request)));
581
582 // client should give up if stale=false
583 EXPECT_EQ(http::http_client_auth::kBadPassword, client.handle_401(*response));
584}
585
586TEST(HTTP_Client_Auth, Unavailable)
587{
588 http::http_client_auth auth{};
589 EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(http::http_response_info{}));
590 EXPECT_FALSE(bool(auth.get_auth_field("GET", "/file")));
591}
592
593TEST(HTTP_Client_Auth, MissingAuthenticate)
594{
595 http::http_client_auth auth{{"foo", "bar"}};
596 EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(http::http_response_info{}));
597 EXPECT_FALSE(bool(auth.get_auth_field("POST", "/\xFFname")));
598 {
599 http::http_response_info response{};
600 response.m_additional_fields.push_back({"\xFF", "\xFF"});
601 EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(response));
602 }
603 EXPECT_FALSE(bool(auth.get_auth_field("DELETE", "/file/does/not/exist")));
604}
605
606TEST(HTTP_Client_Auth, BadSyntax)
607{
608 http::http_client_auth auth{{"foo", "bar"}};
609 EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"realm", "fo\xFF"}}})));
610 EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"domain", "fo\xFF"}}})));
611 EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce", "fo\xFF"}}})));
612 EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce \xFF =", "fo\xFF"}}})));
613 EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8" \xFF nonce", "fo\xFF"}}})));
614}
615
616TEST(HTTP_Client_Auth, MD5)
617{
618 constexpr char method[] = "NOP";
619 constexpr char nonce[] = "some crazy nonce";
620 constexpr char realm[] = "the only realm";
621 constexpr char uri[] = "/some_file";
622
623 const http::login user{"foo", "bar"};
624 http::http_client_auth auth{user};
625
626 auto response = make_response({
627 {
628 {u8"domain", quoted("ignored")},
629 {u8"nonce", quoted(nonce)},
630 {u8"REALM", quoted(realm)}
631 },
632 {
633 {u8"algorithm", "null"},
634 {u8"domain", quoted("ignored")},
635 {u8"nonce", quoted(std::string{"e"} + nonce)},
636 {u8"realm", quoted(std::string{"e"} + realm)}
637 },
638 });
639
640 EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
641 const auto auth_field = auth.get_auth_field(method, uri);
642 ASSERT_TRUE(bool(auth_field));
643
644 const auto parsed = parse_fields(auth_field->second);
645 EXPECT_STREQ(u8"Authorization", auth_field->first.c_str());
646 EXPECT_EQ(parsed.end(), parsed.find(u8"opaque"));
647 EXPECT_EQ(parsed.end(), parsed.find(u8"qop"));
648 EXPECT_EQ(parsed.end(), parsed.find(u8"nc"));
649 EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str());
650 EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str());
651 EXPECT_STREQ(uri, parsed.at(u8"uri").c_str());
652 EXPECT_EQ(user.username, parsed.at(u8"username"));
653 EXPECT_STREQ(realm, parsed.at(u8"realm").c_str());
654
655 const std::string a1 = get_a1(user, parsed);
656 const std::string a2 = get_a2(uri);
657 const std::string auth_code = md5_hex(
658 boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
659 );
660 EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response")));
661 {
662 const auto auth_field_dup = auth.get_auth_field(method, uri);
663 ASSERT_TRUE(bool(auth_field_dup));
664 EXPECT_EQ(*auth_field, *auth_field_dup);
665 }
666
667
668 EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(response));
669 response.m_header_info.m_etc_fields.front().second.append(u8"," + write_fields({{u8"stale", u8"TRUE"}}));
670 EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
671}
672
673TEST(HTTP_Client_Auth, MD5_auth)
674{
675 constexpr char cnonce[] = "";
676 constexpr char method[] = "NOP";
677 constexpr char nonce[] = "some crazy nonce";
678 constexpr char opaque[] = "this is the opaque";
679 constexpr char qop[] = u8"ignore,auth,ignore";
680 constexpr char realm[] = "the only realm";
681 constexpr char uri[] = "/some_file";
682
683 const http::login user{"foo", "bar"};
684 http::http_client_auth auth{user};
685
686 auto response = make_response({
687 {
688 {u8"algorithm", u8"MD5"},
689 {u8"domain", quoted("ignored")},
690 {u8"nonce", quoted(std::string{"e"} + nonce)},
691 {u8"realm", quoted(std::string{"e"} + realm)},
692 {u8"qop", quoted("some,thing,to,ignore")}
693 },
694 {
695 {u8"algorIthm", quoted(u8"md5")},
696 {u8"domain", quoted("ignored")},
697 {u8"noNce", quoted(nonce)},
698 {u8"opaque", quoted(opaque)},
699 {u8"realm", quoted(realm)},
700 {u8"QoP", quoted(qop)}
701 }
702 });
703
704 EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
705
706 for (unsigned i = 1; i < 1000; ++i)
707 {
708 const std::string nc = get_nc(i);
709
710 const auto auth_field = auth.get_auth_field(method, uri);
711 ASSERT_TRUE(bool(auth_field));
712
713 const auto parsed = parse_fields(auth_field->second);
714 EXPECT_STREQ(u8"Authorization", auth_field->first.c_str());
715 EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str());
716 EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str());
717 EXPECT_STREQ(opaque, parsed.at(u8"opaque").c_str());
718 EXPECT_STREQ(u8"auth", parsed.at(u8"qop").c_str());
719 EXPECT_STREQ(uri, parsed.at(u8"uri").c_str());
720 EXPECT_EQ(user.username, parsed.at(u8"username"));
721 EXPECT_STREQ(realm, parsed.at(u8"realm").c_str());
722 EXPECT_EQ(nc, parsed.at(u8"nc"));
723
724 const std::string a1 = get_a1(user, parsed);
725 const std::string a2 = get_a2(uri);
726 const std::string auth_code = md5_hex(
727 boost::join(std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, u8"auth", md5_hex(a2)}, u8":")
728 );
729 EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response")));
730 }
731
732 EXPECT_EQ(http::http_client_auth::kBadPassword, auth.handle_401(response));
733 response.m_header_info.m_etc_fields.back().second.append(u8"," + write_fields({{u8"stale", u8"trUe"}}));
734 EXPECT_EQ(http::http_client_auth::kSuccess, auth.handle_401(response));
735}
736
737
738TEST(HTTP, Add_Field)
739{
740 std::string str{"leading text"};
741 epee::net_utils::http::add_field(str, "foo", "bar");
742 epee::net_utils::http::add_field(str, std::string("bar"), std::string("foo"));
743 epee::net_utils::http::add_field(str, {"moarbars", "moarfoo"});
744
745 EXPECT_STREQ("leading textfoo: bar\r\nbar: foo\r\nmoarbars: moarfoo\r\n", str.c_str());
746}
u8
unsigned char u8
Definition chacha_private.h:9
EXPECT_EQ
#define EXPECT_EQ(val1, val2)
Definition gtest.h:1922
EXPECT_NE
#define EXPECT_NE(val1, val2)
Definition gtest.h:1926
ASSERT_LE
#define ASSERT_LE(val1, val2)
Definition gtest.h:1964
EXPECT_TRUE
#define EXPECT_TRUE(condition)
Definition gtest.h:1859
EXPECT_STREQ
#define EXPECT_STREQ(s1, s2)
Definition gtest.h:1995
TEST
#define TEST(test_case_name, test_name)
Definition gtest.h:2187
ASSERT_TRUE
#define ASSERT_TRUE(condition)
Definition gtest.h:1865
EXPECT_FALSE
#define EXPECT_FALSE(condition)
Definition gtest.h:1862
http_auth.h
md5_l.h
crypto::rand
std::enable_if< std::is_pod< T >::value, T >::type rand()
Definition crypto.h:216
demo::response
epee::misc_utils::struct_init< response_t > response
Definition transport_defs.h:108
epee::net_utils::http
Definition http_auth.h:48
epee::string_tools::pod_to_hex
std::string pod_to_hex(const t_pod_type &s)
Definition string_tools.h:317
lmdb::stream::count
mdb_size_t count(MDB_cursor *cur)
Definition value_stream.cpp:39
value
const GenericPointer< typename T::ValueType > T2 value
Definition pointer.h:1225
uint8_t
unsigned char uint8_t
Definition stdint.h:124
string_tools.h
md5::MD5_CTX
Definition md5_l.h:68