/* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*/
#include <apr_strings.h>
#include "serf.h"
#include "test_serf.h"
static apr_status_t
authn_callback_expect_not_called(char **username,
char **password,
serf_request_t *request, void *baton,
int code, const char *authn_type,
const char *realm,
apr_pool_t *pool)
{
handler_baton_t *handler_ctx = baton;
test_baton_t *tb = handler_ctx->tb;
tb->result_flags |= TEST_RESULT_AUTHNCB_CALLED;
/* Should not have been called. */
return SERF_ERROR_ISSUE_IN_TESTSUITE;
}
/* Tests that authn fails if all authn schemes are disabled. */
static void test_authentication_disabled(CuTest *tc)
{
test_baton_t *tb;
handler_baton_t handler_ctx[2];
test_server_message_t message_list[] = {
{CHUNKED_REQUEST(1, "1")} };
test_server_action_t action_list[] = {
{SERVER_RESPOND, "HTTP/1.1 401 Unauthorized" CRLF
"Transfer-Encoding: chunked" CRLF
"WWW-Authenticate: Basic realm=""Test Suite""" CRLF
CRLF
"1" CRLF CRLF
"0" CRLF CRLF},
};
apr_status_t status;
apr_pool_t *test_pool = tc->testBaton;
/* Set up a test context with a server */
status = test_http_server_setup(&tb,
message_list, 1,
action_list, 1, 0, NULL,
test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
serf_config_authn_types(tb->context, SERF_AUTHN_NONE);
serf_config_credentials_callback(tb->context,
authn_callback_expect_not_called);
create_new_request(tb, &handler_ctx[0], "GET", "/", 1);
status = test_helper_run_requests_no_check(tc, tb, 1,
handler_ctx, test_pool);
CuAssertIntEquals(tc, SERF_ERROR_AUTHN_NOT_SUPPORTED, status);
CuAssertIntEquals(tc, 1, tb->sent_requests->nelts);
CuAssertIntEquals(tc, 1, tb->accepted_requests->nelts);
CuAssertIntEquals(tc, 0, tb->handled_requests->nelts);
CuAssertTrue(tc, !(tb->result_flags & TEST_RESULT_AUTHNCB_CALLED));
}
/* Tests that authn fails if encountered an unsupported scheme. */
static void test_unsupported_authentication(CuTest *tc)
{
test_baton_t *tb;
handler_baton_t handler_ctx[2];
test_server_message_t message_list[] = {
{CHUNKED_REQUEST(1, "1")} };
test_server_action_t action_list[] = {
{SERVER_RESPOND, "HTTP/1.1 401 Unauthorized" CRLF
"Transfer-Encoding: chunked" CRLF
"WWW-Authenticate: NotExistent realm=""Test Suite""" CRLF
CRLF
"1" CRLF CRLF
"0" CRLF CRLF},
};
apr_status_t status;
apr_pool_t *test_pool = tc->testBaton;
/* Set up a test context with a server */
status = test_http_server_setup(&tb,
message_list, 1,
action_list, 1, 0, NULL,
test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
serf_config_authn_types(tb->context, SERF_AUTHN_ALL);
serf_config_credentials_callback(tb->context,
authn_callback_expect_not_called);
create_new_request(tb, &handler_ctx[0], "GET", "/", 1);
status = test_helper_run_requests_no_check(tc, tb, 1,
handler_ctx, test_pool);
CuAssertIntEquals(tc, SERF_ERROR_AUTHN_NOT_SUPPORTED, status);
CuAssertIntEquals(tc, 1, tb->sent_requests->nelts);
CuAssertIntEquals(tc, 1, tb->accepted_requests->nelts);
CuAssertIntEquals(tc, 0, tb->handled_requests->nelts);
CuAssertTrue(tc, !(tb->result_flags & TEST_RESULT_AUTHNCB_CALLED));
}
static apr_status_t
basic_authn_callback(char **username,
char **password,
serf_request_t *request, void *baton,
int code, const char *authn_type,
const char *realm,
apr_pool_t *pool)
{
handler_baton_t *handler_ctx = baton;
test_baton_t *tb = handler_ctx->tb;
tb->result_flags |= TEST_RESULT_AUTHNCB_CALLED;
if (code != 401)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
if (strcmp("Basic", authn_type) != 0)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
if (strcmp("<http://localhost:12345> Test Suite", realm) != 0)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
*username = "serf";
*password = "serftest";
return APR_SUCCESS;
}
/* Test template, used for KeepAlive Off and KeepAlive On test */
static void basic_authentication(CuTest *tc, const char *resp_hdrs)
{
test_baton_t *tb;
handler_baton_t handler_ctx[2];
int num_requests_sent, num_requests_recvd;
test_server_message_t message_list[3];
test_server_action_t action_list[3];
apr_status_t status;
apr_pool_t *test_pool = tc->testBaton;
/* Expected string relies on strict order of headers, which is not
guaranteed. c2VyZjpzZXJmdGVzdA== is base64 encoded serf:serftest . */
message_list[0].text = CHUNKED_REQUEST(1, "1");
message_list[1].text = apr_psprintf(test_pool,
"GET / HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: Basic c2VyZjpzZXJmdGVzdA==" CRLF
"Transfer-Encoding: chunked" CRLF
CRLF
"1" CRLF
"1" CRLF
"0" CRLF CRLF);
message_list[2].text = apr_psprintf(test_pool,
"GET / HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: Basic c2VyZjpzZXJmdGVzdA==" CRLF
"Transfer-Encoding: chunked" CRLF
CRLF
"1" CRLF
"2" CRLF
"0" CRLF CRLF);
action_list[0].kind = SERVER_RESPOND;
/* Use non-standard case WWW-Authenticate header and scheme name to test
for case insensitive comparisons. */
action_list[0].text = apr_psprintf(test_pool,
"HTTP/1.1 401 Unauthorized" CRLF
"Transfer-Encoding: chunked" CRLF
"www-Authenticate: bAsIc realm=""Test Suite""" CRLF
"%s"
CRLF
"1" CRLF CRLF
"0" CRLF CRLF, resp_hdrs);
action_list[1].kind = SERVER_RESPOND;
action_list[1].text = CHUNKED_EMPTY_RESPONSE;
action_list[2].kind = SERVER_RESPOND;
action_list[2].text = CHUNKED_EMPTY_RESPONSE;
/* Set up a test context with a server */
status = test_http_server_setup(&tb,
message_list, 3,
action_list, 3, 0, NULL,
test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
serf_config_authn_types(tb->context, SERF_AUTHN_BASIC);
serf_config_credentials_callback(tb->context, basic_authn_callback);
create_new_request(tb, &handler_ctx[0], "GET", "/", 1);
/* Test that a request is retried and authentication headers are set
correctly. */
num_requests_sent = 1;
num_requests_recvd = 2;
status = test_helper_run_requests_no_check(tc, tb, num_requests_sent,
handler_ctx, test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertIntEquals(tc, num_requests_recvd, tb->sent_requests->nelts);
CuAssertIntEquals(tc, num_requests_recvd, tb->accepted_requests->nelts);
CuAssertIntEquals(tc, num_requests_sent, tb->handled_requests->nelts);
CuAssertTrue(tc, tb->result_flags & TEST_RESULT_AUTHNCB_CALLED);
/* Test that credentials were cached by asserting that the authn callback
wasn't called again. */
tb->result_flags = 0;
create_new_request(tb, &handler_ctx[0], "GET", "/", 2);
status = test_helper_run_requests_no_check(tc, tb, num_requests_sent,
handler_ctx, test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertTrue(tc, !(tb->result_flags & TEST_RESULT_AUTHNCB_CALLED));
}
static void test_basic_authentication(CuTest *tc)
{
basic_authentication(tc, "");
}
static void test_basic_authentication_keepalive_off(CuTest *tc)
{
basic_authentication(tc, "Connection: close" CRLF);
}
static apr_status_t
digest_authn_callback(char **username,
char **password,
serf_request_t *request, void *baton,
int code, const char *authn_type,
const char *realm,
apr_pool_t *pool)
{
handler_baton_t *handler_ctx = baton;
test_baton_t *tb = handler_ctx->tb;
tb->result_flags |= TEST_RESULT_AUTHNCB_CALLED;
if (code != 401)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
if (strcmp("Digest", authn_type) != 0)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
if (strcmp("<http://localhost:12345> Test Suite", realm) != 0)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
*username = "serf";
*password = "serftest";
return APR_SUCCESS;
}
/* Test template, used for KeepAlive Off and KeepAlive On test */
static void digest_authentication(CuTest *tc, const char *resp_hdrs)
{
test_baton_t *tb;
handler_baton_t handler_ctx[2];
int num_requests_sent, num_requests_recvd;
test_server_message_t message_list[2];
test_server_action_t action_list[2];
apr_pool_t *test_pool = tc->testBaton;
apr_status_t status;
/* Expected string relies on strict order of headers and attributes of
Digest, both are not guaranteed.
6ff0d4cc201513ce970d5c6b25e1043b is encoded as:
md5hex(md5hex("serf:Test Suite:serftest") & ":" &
md5hex("ABCDEF1234567890") & ":" &
md5hex("GET:/test/index.html"))
*/
message_list[0].text = CHUNKED_REQUEST_URI("/test/index.html", 1, "1");
message_list[1].text = apr_psprintf(test_pool,
"GET /test/index.html HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: Digest realm=\"Test Suite\", username=\"serf\", "
"nonce=\"ABCDEF1234567890\", uri=\"/test/index.html\", "
"response=\"6ff0d4cc201513ce970d5c6b25e1043b\", opaque=\"myopaque\", "
"algorithm=\"MD5\"" CRLF
"Transfer-Encoding: chunked" CRLF
CRLF
"1" CRLF
"1" CRLF
"0" CRLF CRLF);
action_list[0].kind = SERVER_RESPOND;
action_list[0].text = apr_psprintf(test_pool,
"HTTP/1.1 401 Unauthorized" CRLF
"Transfer-Encoding: chunked" CRLF
"WWW-Authenticate: Digest realm=\"Test Suite\","
"nonce=\"ABCDEF1234567890\",opaque=\"myopaque\","
"algorithm=\"MD5\",qop-options=\"auth\"" CRLF
"%s"
CRLF
"1" CRLF CRLF
"0" CRLF CRLF, resp_hdrs);
/* If the resp_hdrs includes "Connection: close", serf will automatically
reset the connection from the client side, no need to use
SERVER_KILL_CONNECTION. */
action_list[1].kind = SERVER_RESPOND;
action_list[1].text = CHUNKED_EMPTY_RESPONSE;
/* Set up a test context with a server */
status = test_http_server_setup(&tb,
message_list, 2,
action_list, 2, 0, NULL,
test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
/* Add both Basic and Digest here, should use Digest only. */
serf_config_authn_types(tb->context, SERF_AUTHN_BASIC | SERF_AUTHN_DIGEST);
serf_config_credentials_callback(tb->context, digest_authn_callback);
create_new_request(tb, &handler_ctx[0], "GET", "/test/index.html", 1);
/* Test that a request is retried and authentication headers are set
correctly. */
num_requests_sent = 1;
num_requests_recvd = 2;
status = test_helper_run_requests_no_check(tc, tb, num_requests_sent,
handler_ctx, test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertIntEquals(tc, num_requests_recvd, tb->sent_requests->nelts);
CuAssertIntEquals(tc, num_requests_recvd, tb->accepted_requests->nelts);
CuAssertIntEquals(tc, num_requests_sent, tb->handled_requests->nelts);
CuAssertTrue(tc, tb->result_flags & TEST_RESULT_AUTHNCB_CALLED);
}
static void test_digest_authentication(CuTest *tc)
{
digest_authentication(tc, "");
}
static void test_digest_authentication_keepalive_off(CuTest *tc)
{
/* Add the Connection: close header to the response with the Digest headers.
This to test that the Digest headers will be added to the retry of the
request on the new connection. */
digest_authentication(tc, "Connection: close" CRLF);
}
static apr_status_t
switched_realm_authn_callback(char **username,
char **password,
serf_request_t *request, void *baton,
int code, const char *authn_type,
const char *realm,
apr_pool_t *pool)
{
handler_baton_t *handler_ctx = baton;
test_baton_t *tb = handler_ctx->tb;
const char *exp_realm = tb->user_baton;
tb->result_flags |= TEST_RESULT_AUTHNCB_CALLED;
if (code != 401)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
if (strcmp(exp_realm, realm) != 0)
return SERF_ERROR_ISSUE_IN_TESTSUITE;
if (strcmp(realm, "<http://localhost:12345> Test Suite") == 0) {
*username = "serf";
*password = "serftest";
} else {
*username = "serf_newrealm";
*password = "serftest";
}
return APR_SUCCESS;
}
/* Test template, used for both Basic and Digest switch realms test */
static void authentication_switch_realms(CuTest *tc,
const char *scheme,
const char *authn_attr,
const char *authz_attr_test_suite,
const char *authz_attr_wrong_realm,
const char *authz_attr_new_realm)
{
test_baton_t *tb;
handler_baton_t handler_ctx[2];
int num_requests_sent, num_requests_recvd;
test_server_message_t message_list[5];
test_server_action_t action_list[5];
apr_pool_t *test_pool = tc->testBaton;
apr_status_t status;
message_list[0].text = CHUNKED_REQUEST(1, "1");
message_list[1].text = apr_psprintf(test_pool,
"GET / HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: %s %s" CRLF
"Transfer-Encoding: chunked" CRLF
CRLF
"1" CRLF
"1" CRLF
"0" CRLF CRLF, scheme, authz_attr_test_suite);
message_list[2].text = apr_psprintf(test_pool,
"GET / HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: %s %s" CRLF
"Transfer-Encoding: chunked" CRLF
CRLF
"1" CRLF
"2" CRLF
"0" CRLF CRLF, scheme, authz_attr_test_suite);
/* The client doesn't know that /newrealm/ is in another realm, so it
reuses the credentials cached on the connection. */
message_list[3].text = apr_psprintf(test_pool,
"GET /newrealm/index.html HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: %s %s" CRLF
"Transfer-Encoding: chunked" CRLF
CRLF
"1" CRLF
"3" CRLF
"0" CRLF CRLF, scheme, authz_attr_wrong_realm);
message_list[4].text = apr_psprintf(test_pool,
"GET /newrealm/index.html HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: %s %s" CRLF
"Transfer-Encoding: chunked" CRLF
CRLF
"1" CRLF
"3" CRLF
"0" CRLF CRLF, scheme, authz_attr_new_realm);
action_list[0].kind = SERVER_RESPOND;
action_list[0].text = apr_psprintf(test_pool,
"HTTP/1.1 401 Unauthorized" CRLF
"Transfer-Encoding: chunked" CRLF
"WWW-Authenticate: %s realm=""Test Suite""%s" CRLF
CRLF
"1" CRLF CRLF
"0" CRLF CRLF, scheme, authn_attr);
action_list[1].kind = SERVER_RESPOND;
action_list[1].text = CHUNKED_EMPTY_RESPONSE;
action_list[2].kind = SERVER_RESPOND;
action_list[2].text = CHUNKED_EMPTY_RESPONSE;
action_list[3].kind = SERVER_RESPOND;
action_list[3].text = apr_psprintf(test_pool,
"HTTP/1.1 401 Unauthorized" CRLF
"Transfer-Encoding: chunked" CRLF
"WWW-Authenticate: %s realm=""New Realm""%s" CRLF
CRLF
"1" CRLF CRLF
"0" CRLF CRLF, scheme, authn_attr);
action_list[4].kind = SERVER_RESPOND;
action_list[4].text = CHUNKED_EMPTY_RESPONSE;
/* Set up a test context with a server */
status = test_http_server_setup(&tb,
message_list, 5,
action_list, 5, 0, NULL,
test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
serf_config_authn_types(tb->context, SERF_AUTHN_BASIC | SERF_AUTHN_DIGEST);
serf_config_credentials_callback(tb->context,
switched_realm_authn_callback);
create_new_request(tb, &handler_ctx[0], "GET", "/", 1);
/* Test that a request is retried and authentication headers are set
correctly. */
num_requests_sent = 1;
num_requests_recvd = 2;
tb->user_baton = "<http://localhost:12345> Test Suite";
status = test_helper_run_requests_no_check(tc, tb, num_requests_sent,
handler_ctx, test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertIntEquals(tc, num_requests_recvd, tb->sent_requests->nelts);
CuAssertIntEquals(tc, num_requests_recvd, tb->accepted_requests->nelts);
CuAssertIntEquals(tc, num_requests_sent, tb->handled_requests->nelts);
CuAssertTrue(tc, tb->result_flags & TEST_RESULT_AUTHNCB_CALLED);
/* Test that credentials were cached by asserting that the authn callback
wasn't called again. */
tb->result_flags = 0;
create_new_request(tb, &handler_ctx[0], "GET", "/", 2);
status = test_helper_run_requests_no_check(tc, tb, num_requests_sent,
handler_ctx, test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertTrue(tc, !(tb->result_flags & TEST_RESULT_AUTHNCB_CALLED));
/* Switch realms. Test that serf asks the application for new
credentials. */
tb->result_flags = 0;
tb->user_baton = "<http://localhost:12345> New Realm";
create_new_request(tb, &handler_ctx[0], "GET", "/newrealm/index.html", 3);
status = test_helper_run_requests_no_check(tc, tb, num_requests_sent,
handler_ctx, test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertTrue(tc, tb->result_flags & TEST_RESULT_AUTHNCB_CALLED);
}
static void test_basic_switch_realms(CuTest *tc)
{
authentication_switch_realms(tc, "Basic", "", "c2VyZjpzZXJmdGVzdA==",
"c2VyZjpzZXJmdGVzdA==",
"c2VyZl9uZXdyZWFsbTpzZXJmdGVzdA==");
}
static void test_digest_switch_realms(CuTest *tc)
{
authentication_switch_realms(tc, "Digest", ",nonce=\"ABCDEF1234567890\","
"opaque=\"myopaque\", algorithm=\"MD5\",qop-options=\"auth\"",
/* response hdr attribute for Test Suite realm, uri / */
"realm=\"Test Suite\", username=\"serf\", nonce=\"ABCDEF1234567890\", "
"uri=\"/\", response=\"3511a71fec5c02ab1c9212711a8baa58\", "
"opaque=\"myopaque\", algorithm=\"MD5\"",
/* response hdr attribute for Test Suite realm, uri /newrealm/index.html */
"realm=\"Test Suite\", username=\"serf\", nonce=\"ABCDEF1234567890\", "
"uri=\"/newrealm/index.html\", response=\"c6b673cf44ad16ef379930856b607344\", "
"opaque=\"myopaque\", algorithm=\"MD5\"",
/* response hdr attribute for New Realm realm, uri /newrealm/index.html */
"realm=\"New Realm\", username=\"serf_newrealm\", nonce=\"ABCDEF1234567890\", "
"uri=\"/newrealm/index.html\", response=\"f93f07d1412e53c421f66741a89198cb\", "
"opaque=\"myopaque\", algorithm=\"MD5\"");
}
static void test_auth_on_HEAD(CuTest *tc)
{
test_baton_t *tb;
handler_baton_t handler_ctx[2];
int num_requests_sent, num_requests_recvd;
apr_status_t status;
apr_pool_t *test_pool = tc->testBaton;
test_server_message_t message_list[] = {
{
"HEAD / HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
CRLF
},
{
"HEAD / HTTP/1.1" CRLF
"Host: localhost:12345" CRLF
"Authorization: Basic c2VyZjpzZXJmdGVzdA==" CRLF
CRLF
},
};
test_server_action_t action_list[] = {
{
SERVER_RESPOND,
"HTTP/1.1 401 Unauthorized" CRLF
"WWW-Authenticate: Basic Realm=""Test Suite""" CRLF
CRLF
},
{
SERVER_RESPOND,
"HTTP/1.1 200 Ok" CRLF
"Content-Type: text/html" CRLF
CRLF
},
};
/* Set up a test context with a server */
status = test_http_server_setup(&tb,
message_list, 2,
action_list, 2, 0, NULL,
test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
serf_config_authn_types(tb->context, SERF_AUTHN_BASIC);
serf_config_credentials_callback(tb->context, basic_authn_callback);
create_new_request(tb, &handler_ctx[0], "HEAD", "/", -1);
/* Test that a request is retried and authentication headers are set
correctly. */
num_requests_sent = 1;
num_requests_recvd = 2;
status = test_helper_run_requests_no_check(tc, tb, num_requests_sent,
handler_ctx, test_pool);
CuAssertIntEquals(tc, APR_SUCCESS, status);
CuAssertIntEquals(tc, num_requests_recvd, tb->sent_requests->nelts);
CuAssertIntEquals(tc, num_requests_recvd, tb->accepted_requests->nelts);
CuAssertIntEquals(tc, num_requests_sent, tb->handled_requests->nelts);
CuAssertTrue(tc, tb->result_flags & TEST_RESULT_AUTHNCB_CALLED);
}
/*****************************************************************************/
CuSuite *test_auth(void)
{
CuSuite *suite = CuSuiteNew();
CuSuiteSetSetupTeardownCallbacks(suite, test_setup, test_teardown);
SUITE_ADD_TEST(suite, test_authentication_disabled);
SUITE_ADD_TEST(suite, test_unsupported_authentication);
SUITE_ADD_TEST(suite, test_basic_authentication);
SUITE_ADD_TEST(suite, test_basic_authentication_keepalive_off);
SUITE_ADD_TEST(suite, test_digest_authentication);
SUITE_ADD_TEST(suite, test_digest_authentication_keepalive_off);
SUITE_ADD_TEST(suite, test_basic_switch_realms);
SUITE_ADD_TEST(suite, test_digest_switch_realms);
SUITE_ADD_TEST(suite, test_auth_on_HEAD);
return suite;
}