/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */ #include "test-utils.h" static const char *base_uri; static GMainLoop *loop; typedef struct { /* Explanation of what you should see */ const char *explanation; /* URL to test against */ const char *url; /* Provided passwords, 1 character each. ('1', '2', and '3' * mean the correct passwords for "realm1", "realm2", and * "realm3" respectively. '4' means "use the wrong password".) * The first password (if present) will be used by * authenticate(), and the second (if present) will be used by * reauthenticate(). */ const char *provided; /* Whether to pass user and password in the URL or not. */ gboolean url_auth; /* Expected passwords, 1 character each. (As with the provided * passwords, with the addition that '0' means "no * Authorization header expected".) Used to verify that soup * used the password it was supposed to at each step. */ const char *expected; /* What the final status code should be. */ guint final_status; } SoupAuthTest; static SoupAuthTest main_tests[] = { { "No auth available, should fail", "Basic/realm1/", "", FALSE, "0", SOUP_STATUS_UNAUTHORIZED }, { "Should fail with no auth, fail again with bad password, and give up", "Basic/realm2/", "4", FALSE, "04", SOUP_STATUS_UNAUTHORIZED }, { "Auth provided this time, so should succeed", "Basic/realm1/", "1", FALSE, "01", SOUP_STATUS_OK }, { "Now should automatically reuse previous auth", "Basic/realm1/", "", FALSE, "1", SOUP_STATUS_OK }, { "Subdir should also automatically reuse auth", "Basic/realm1/subdir/", "", FALSE, "1", SOUP_STATUS_OK }, { "Subdir should retry last auth, but will fail this time", "Basic/realm1/realm2/", "", FALSE, "1", SOUP_STATUS_UNAUTHORIZED }, { "Now should use provided auth", "Basic/realm1/realm2/", "2", FALSE, "02", SOUP_STATUS_OK }, { "Reusing last auth. Should succeed on first try", "Basic/realm1/realm2/", "", FALSE, "2", SOUP_STATUS_OK }, { "Reuse will fail, but 2nd try will succeed because it's a known realm", "Basic/realm1/realm2/realm1/", "", FALSE, "21", SOUP_STATUS_OK }, { "Should succeed on first try. (Known realm with cached password)", "Basic/realm2/", "", FALSE, "2", SOUP_STATUS_OK }, { "Fail once, then use typoed password, then use right password", "Basic/realm3/", "43", FALSE, "043", SOUP_STATUS_OK }, { "No auth available, should fail", "Digest/realm1/", "", FALSE, "0", SOUP_STATUS_UNAUTHORIZED }, { "Should fail with no auth, fail again with bad password, and give up", "Digest/realm2/", "4", FALSE, "04", SOUP_STATUS_UNAUTHORIZED }, { "Known realm, auth provided, so should succeed", "Digest/realm1/", "1", FALSE, "01", SOUP_STATUS_OK }, { "Now should automatically reuse previous auth", "Digest/realm1/", "", FALSE, "1", SOUP_STATUS_OK }, { "Subdir should also automatically reuse auth", "Digest/realm1/subdir/", "", FALSE, "1", SOUP_STATUS_OK }, { "Password provided, should succeed", "Digest/realm2/", "2", FALSE, "02", SOUP_STATUS_OK }, { "Should already know correct domain and use provided auth on first try", "Digest/realm1/realm2/", "2", FALSE, "2", SOUP_STATUS_OK }, { "Reusing last auth. Should succeed on first try", "Digest/realm1/realm2/", "", FALSE, "2", SOUP_STATUS_OK }, { "Should succeed on first try because of earlier domain directive", "Digest/realm1/realm2/realm1/", "", FALSE, "1", SOUP_STATUS_OK }, { "Fail once, then use typoed password, then use right password", "Digest/realm3/", "43", FALSE, "043", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Basic/realm1/", "", FALSE, "1", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Basic/realm1/realm2/", "", FALSE, "2", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Basic/realm1/realm2/realm1/", "", FALSE, "1", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Basic/realm2/", "", FALSE, "2", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Basic/realm3/", "", FALSE, "3", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Digest/realm1/", "", FALSE, "1", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Digest/realm1/realm2/", "", FALSE, "2", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Digest/realm1/realm2/realm1/", "", FALSE, "1", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Digest/realm2/", "", FALSE, "2", SOUP_STATUS_OK }, { "Make sure we haven't forgotten anything", "Digest/realm3/", "", FALSE, "3", SOUP_STATUS_OK }, { "Now the server will reject the formerly-good password", "Basic/realm1/not/", "1", FALSE, /* should not be used */ "1", SOUP_STATUS_UNAUTHORIZED }, { "Make sure we've forgotten it", "Basic/realm1/", "", FALSE, "0", SOUP_STATUS_UNAUTHORIZED }, { "Likewise, reject the formerly-good Digest password", "Digest/realm1/not/", "1", FALSE, /* should not be used */ "1", SOUP_STATUS_UNAUTHORIZED }, { "Make sure we've forgotten it", "Digest/realm1/", "", FALSE, "0", SOUP_STATUS_UNAUTHORIZED }, { "Fail with URI-embedded password, then use right password in the authenticate signal", "Basic/realm3/", "43", TRUE, "43", SOUP_STATUS_OK }, { NULL } }; static const char *auths[] = { "no password", "password 1", "password 2", "password 3", "intentionally wrong password", }; static int identify_auth (SoupMessage *msg) { const char *header; int num; header = soup_message_headers_get_one (msg->request_headers, "Authorization"); if (!header) return 0; if (!g_ascii_strncasecmp (header, "Basic ", 6)) { char *token; gsize len; token = (char *)g_base64_decode (header + 6, &len); num = token[len - 1] - '0'; g_free (token); } else { const char *user; user = strstr (header, "username=\"user"); if (user) num = user[14] - '0'; else num = 0; } g_assert (num >= 0 && num <= 4); return num; } static void handler (SoupMessage *msg, gpointer data) { char *expected = data; int auth, exp; auth = identify_auth (msg); debug_printf (1, " %d %s (using %s)\n", msg->status_code, msg->reason_phrase, auths[auth]); if (*expected) { exp = *expected - '0'; soup_test_assert (auth == exp, "expected %s", auths[exp]); memmove (expected, expected + 1, strlen (expected)); } else { soup_test_assert (*expected, "expected to be finished"); } } static void authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { SoupAuthTest *test = data; char *username, *password; char num; if (!test->provided[0]) return; if (retrying) { if (!test->provided[1]) return; num = test->provided[1]; } else num = test->provided[0]; username = g_strdup_printf ("user%c", num); password = g_strdup_printf ("realm%c", num); soup_auth_authenticate (auth, username, password); g_free (username); g_free (password); } static void bug271540_sent (SoupMessage *msg, gpointer data) { int n = GPOINTER_TO_INT (g_object_get_data (G_OBJECT (msg), "#")); gboolean *authenticated = data; int auth = identify_auth (msg); soup_test_assert (*authenticated || !auth, "using auth on message %d before authenticating", n); soup_test_assert (!*authenticated || auth, "sent unauthenticated message %d after authenticating", n); } static void bug271540_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { int n = GPOINTER_TO_INT (g_object_get_data (G_OBJECT (msg), "#")); gboolean *authenticated = data; if (strcmp (soup_auth_get_scheme_name (auth), "Basic") != 0 || strcmp (soup_auth_get_realm (auth), "realm1") != 0) return; if (!*authenticated) { debug_printf (1, " authenticating message %d\n", n); soup_auth_authenticate (auth, "user1", "realm1"); *authenticated = TRUE; } else { soup_test_assert (!*authenticated, "asked to authenticate message %d after authenticating", n); } } static void bug271540_finished (SoupSession *session, SoupMessage *msg, gpointer data) { int *left = data; soup_test_assert_message_status (msg, SOUP_STATUS_OK); (*left)--; if (!*left) g_main_loop_quit (loop); } static void do_pipelined_auth_test (void) { SoupSession *session; SoupMessage *msg; gboolean authenticated; char *uri; int i; g_test_bug ("271540"); SOUP_TEST_SKIP_IF_NO_APACHE; session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); authenticated = FALSE; g_signal_connect (session, "authenticate", G_CALLBACK (bug271540_authenticate), &authenticated); uri = g_strconcat (base_uri, "Basic/realm1/", NULL); for (i = 0; i < 10; i++) { msg = soup_message_new (SOUP_METHOD_GET, uri); g_object_set_data (G_OBJECT (msg), "#", GINT_TO_POINTER (i + 1)); g_signal_connect (msg, "wrote_headers", G_CALLBACK (bug271540_sent), &authenticated); soup_session_queue_message (session, msg, bug271540_finished, &i); } g_free (uri); loop = g_main_loop_new (NULL, TRUE); g_main_loop_run (loop); g_main_loop_unref (loop); soup_test_session_abort_unref (session); } /* We test two different things here: * * 1. If we get a 401 response with "WWW-Authenticate: Digest * stale=true...", we should retry and succeed *without* the * session asking for a password again. * * 2. If we get a successful response with "Authentication-Info: * nextnonce=...", we should update the nonce automatically so as * to avoid getting a stale nonce error on the next request. * * In our Apache config, /Digest/realm1 and /Digest/realm1/expire are * set up to use the same auth info, but only the latter has an * AuthDigestNonceLifetime (of 2 seconds). The way nonces work in * Apache, a nonce received from /Digest/realm1 will still expire in * /Digest/realm1/expire, but it won't issue a nextnonce for a request * in /Digest/realm1. This lets us test both behaviors. * * The expected conversation is: * * First message * GET /Digest/realm1 * * 401 Unauthorized * WWW-Authenticate: Digest nonce=A * * [emit 'authenticate'] * * GET /Digest/realm1 * Authorization: Digest nonce=A * * 200 OK * [No Authentication-Info] * * [sleep 2 seconds: nonce A is no longer valid, but we have no * way of knowing that] * * Second message * GET /Digest/realm1/expire/ * Authorization: Digest nonce=A * * 401 Unauthorized * WWW-Authenticate: Digest stale=true nonce=B * * GET /Digest/realm1/expire/ * Authorization: Digest nonce=B * * 200 OK * Authentication-Info: nextnonce=C * * [sleep 1 second] * * Third message * GET /Digest/realm1/expire/ * Authorization: Digest nonce=C * [nonce=B would work here too] * * 200 OK * Authentication-Info: nextnonce=D * * [sleep 1 second; nonces B and C are no longer valid, but D is] * * Fourth message * GET /Digest/realm1/expire/ * Authorization: Digest nonce=D * * 200 OK * Authentication-Info: nextnonce=D * */ static void digest_nonce_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { if (retrying) return; if (strcmp (soup_auth_get_scheme_name (auth), "Digest") != 0 || strcmp (soup_auth_get_realm (auth), "realm1") != 0) return; soup_auth_authenticate (auth, "user1", "realm1"); } static void digest_nonce_unauthorized (SoupMessage *msg, gpointer data) { gboolean *got_401 = data; *got_401 = TRUE; } static void do_digest_nonce_test (SoupSession *session, const char *nth, const char *uri, gboolean use_auth_cache, gboolean expect_401, gboolean expect_signal) { SoupMessage *msg; gboolean got_401; msg = soup_message_new (SOUP_METHOD_GET, uri); if (!use_auth_cache) { SoupMessageFlags flags = soup_message_get_flags (msg); soup_message_set_flags (msg, flags | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE); } if (expect_signal) { g_signal_connect (session, "authenticate", G_CALLBACK (digest_nonce_authenticate), NULL); } soup_message_add_status_code_handler (msg, "got_headers", SOUP_STATUS_UNAUTHORIZED, G_CALLBACK (digest_nonce_unauthorized), &got_401); got_401 = FALSE; soup_session_send_message (session, msg); soup_test_assert (got_401 == expect_401, "%s request %s a 401 Unauthorized!\n", nth, got_401 ? "got" : "did not get"); soup_test_assert_message_status (msg, SOUP_STATUS_OK); if (expect_signal) { g_signal_handlers_disconnect_by_func (session, G_CALLBACK (digest_nonce_authenticate), NULL); } g_object_unref (msg); } static void do_digest_expiration_test (void) { SoupSession *session; char *uri; SOUP_TEST_SKIP_IF_NO_APACHE; session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); uri = g_strconcat (base_uri, "Digest/realm1/", NULL); do_digest_nonce_test (session, "First", uri, TRUE, TRUE, TRUE); g_free (uri); sleep (2); uri = g_strconcat (base_uri, "Digest/realm1/expire/", NULL); do_digest_nonce_test (session, "Second", uri, TRUE, TRUE, FALSE); sleep (1); do_digest_nonce_test (session, "Third", uri, TRUE, FALSE, FALSE); sleep (1); do_digest_nonce_test (session, "Fourth", uri, TRUE, FALSE, FALSE); g_free (uri); soup_test_session_abort_unref (session); } /* Async auth test. We queue three requests to /Basic/realm1, ensuring * that they are sent in order. The first and third ones will be * paused from the authentication callback. The second will be allowed * to fail. Shortly after the third one requests auth, we'll provide * the auth and unpause the two remaining messages, allowing them to * succeed. */ static void async_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { SoupAuth **saved_auth = data; int id = GPOINTER_TO_INT (g_object_get_data (G_OBJECT (msg), "id")); debug_printf (2, " async_authenticate msg%d\n", id); /* The session will try to authenticate msg3 *before* sending * it, because it already knows it's going to need the auth. * Ignore that. */ if (msg->status_code != SOUP_STATUS_UNAUTHORIZED) { debug_printf (2, " (ignoring)\n"); return; } soup_session_pause_message (session, msg); if (saved_auth) *saved_auth = g_object_ref (auth); g_main_loop_quit (loop); } static void async_finished (SoupSession *session, SoupMessage *msg, gpointer user_data) { int *remaining = user_data; int id = GPOINTER_TO_INT (g_object_get_data (G_OBJECT (msg), "id")); debug_printf (2, " async_finished msg%d\n", id); (*remaining)--; if (!*remaining) g_main_loop_quit (loop); } static void async_authenticate_assert_once (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { gboolean *been_here = data; debug_printf (2, " async_authenticate_assert_once\n"); soup_test_assert (!*been_here, "async_authenticate_assert_once called twice"); *been_here = TRUE; } static void async_authenticate_assert_once_and_stop (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { gboolean *been_here = data; debug_printf (2, " async_authenticate_assert_once_and_stop\n"); soup_test_assert (!*been_here, "async_authenticate_assert_once called twice"); *been_here = TRUE; soup_session_pause_message (session, msg); g_main_loop_quit (loop); } static void do_async_auth_good_password_test (void) { SoupSession *session; SoupMessage *msg1, *msg2, *msg3, msg2_bak; guint auth_id; char *uri; SoupAuth *auth = NULL; int remaining; SOUP_TEST_SKIP_IF_NO_APACHE; loop = g_main_loop_new (NULL, TRUE); session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); uri = g_strconcat (base_uri, "Basic/realm1/", NULL); remaining = 0; msg1 = soup_message_new ("GET", uri); g_object_set_data (G_OBJECT (msg1), "id", GINT_TO_POINTER (1)); auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (async_authenticate), &auth); g_object_ref (msg1); remaining++; soup_session_queue_message (session, msg1, async_finished, &remaining); g_main_loop_run (loop); g_signal_handler_disconnect (session, auth_id); /* async_authenticate will pause msg1 and quit loop */ msg2 = soup_message_new ("GET", uri); g_object_set_data (G_OBJECT (msg2), "id", GINT_TO_POINTER (2)); soup_session_send_message (session, msg2); soup_test_assert_message_status (msg2, SOUP_STATUS_UNAUTHORIZED); /* msg2 should be done at this point; assuming everything is * working correctly, the session won't look at it again; we * ensure that if it does, it will crash the test program. */ memcpy (&msg2_bak, msg2, sizeof (SoupMessage)); memset (msg2, 0, sizeof (SoupMessage)); msg3 = soup_message_new ("GET", uri); g_object_set_data (G_OBJECT (msg3), "id", GINT_TO_POINTER (3)); auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (async_authenticate), NULL); g_object_ref (msg3); remaining++; soup_session_queue_message (session, msg3, async_finished, &remaining); g_main_loop_run (loop); g_signal_handler_disconnect (session, auth_id); /* async_authenticate will pause msg3 and quit loop */ /* Now do the auth, and restart */ if (auth) { soup_auth_authenticate (auth, "user1", "realm1"); g_object_unref (auth); soup_session_unpause_message (session, msg1); soup_session_unpause_message (session, msg3); g_main_loop_run (loop); /* async_finished will quit the loop */ } else soup_test_assert (auth, "msg1 didn't get authenticate signal"); soup_test_assert_message_status (msg1, SOUP_STATUS_OK); soup_test_assert_message_status (msg3, SOUP_STATUS_OK); soup_test_session_abort_unref (session); g_object_unref (msg1); g_object_unref (msg3); memcpy (msg2, &msg2_bak, sizeof (SoupMessage)); g_object_unref (msg2); g_free (uri); g_main_loop_unref (loop); } static void do_async_auth_bad_password_test (void) { SoupSession *session; SoupMessage *msg; guint auth_id; char *uri; SoupAuth *auth = NULL; int remaining; gboolean been_there; /* Test that giving the wrong password doesn't cause multiple * authenticate signals the second time. */ g_test_bug ("522601"); SOUP_TEST_SKIP_IF_NO_APACHE; loop = g_main_loop_new (NULL, TRUE); session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); uri = g_strconcat (base_uri, "Basic/realm1/", NULL); remaining = 0; auth = NULL; msg = soup_message_new ("GET", uri); g_object_set_data (G_OBJECT (msg), "id", GINT_TO_POINTER (1)); auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (async_authenticate), &auth); g_object_ref (msg); remaining++; soup_session_queue_message (session, msg, async_finished, &remaining); g_main_loop_run (loop); g_signal_handler_disconnect (session, auth_id); soup_auth_authenticate (auth, "user1", "wrong"); g_object_unref (auth); soup_session_unpause_message (session, msg); been_there = FALSE; auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (async_authenticate_assert_once), &been_there); g_main_loop_run (loop); g_signal_handler_disconnect (session, auth_id); soup_test_assert (been_there, "authenticate not emitted"); soup_test_session_abort_unref (session); g_object_unref (msg); g_free (uri); g_main_loop_unref (loop); } static void do_async_auth_no_password_test (void) { SoupSession *session; SoupMessage *msg; guint auth_id; char *uri; int remaining; gboolean been_there; /* Test that giving no password doesn't cause multiple * authenticate signals the second time. */ g_test_bug ("583462"); SOUP_TEST_SKIP_IF_NO_APACHE; loop = g_main_loop_new (NULL, TRUE); session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); uri = g_strconcat (base_uri, "Basic/realm1/", NULL); remaining = 0; /* Send a message that doesn't actually authenticate */ msg = soup_message_new ("GET", uri); g_object_set_data (G_OBJECT (msg), "id", GINT_TO_POINTER (1)); auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (async_authenticate), NULL); g_object_ref (msg); remaining++; soup_session_queue_message (session, msg, async_finished, &remaining); g_main_loop_run (loop); g_signal_handler_disconnect (session, auth_id); soup_session_unpause_message (session, msg); g_main_loop_run (loop); g_object_unref(msg); /* Now send a second message */ msg = soup_message_new ("GET", uri); g_object_set_data (G_OBJECT (msg), "id", GINT_TO_POINTER (2)); g_object_ref (msg); been_there = FALSE; auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (async_authenticate_assert_once_and_stop), &been_there); remaining++; soup_session_queue_message (session, msg, async_finished, &remaining); g_main_loop_run (loop); soup_session_unpause_message (session, msg); g_main_loop_run (loop); g_signal_handler_disconnect (session, auth_id); soup_test_session_abort_unref (session); g_object_unref (msg); g_free (uri); g_main_loop_unref (loop); } typedef struct { const char *password; struct { const char *headers; const char *response; } round[2]; } SelectAuthData; static void select_auth_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { SelectAuthData *sad = data; const char *header, *basic, *digest; int round = retrying ? 1 : 0; header = soup_message_headers_get_list (msg->response_headers, "WWW-Authenticate"); basic = strstr (header, "Basic"); digest = strstr (header, "Digest"); if (basic && digest) { if (basic < digest) sad->round[round].headers = "Basic, Digest"; else sad->round[round].headers = "Digest, Basic"; } else if (basic) sad->round[round].headers = "Basic"; else if (digest) sad->round[round].headers = "Digest"; sad->round[round].response = soup_auth_get_scheme_name (auth); if (sad->password && !retrying) soup_auth_authenticate (auth, "user", sad->password); } static void select_auth_test_one (SoupURI *uri, gboolean disable_digest, const char *password, const char *first_headers, const char *first_response, const char *second_headers, const char *second_response, guint final_status) { SelectAuthData sad; SoupMessage *msg; SoupSession *session; session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); if (disable_digest) soup_session_remove_feature_by_type (session, SOUP_TYPE_AUTH_DIGEST); g_signal_connect (session, "authenticate", G_CALLBACK (select_auth_authenticate), &sad); memset (&sad, 0, sizeof (sad)); sad.password = password; msg = soup_message_new_from_uri ("GET", uri); soup_session_send_message (session, msg); soup_test_assert (strcmp (sad.round[0].headers, first_headers) == 0, "Header order wrong: expected %s, got %s", first_headers, sad.round[0].headers); soup_test_assert (strcmp (sad.round[0].response, first_response) == 0, "Selected auth type wrong: expected %s, got %s", first_response, sad.round[0].response); soup_test_assert (sad.round[1].headers || !second_headers, "Expected a second round"); soup_test_assert (!sad.round[1].headers || second_headers, "Didn't expect a second round"); if (second_headers && second_response) { soup_test_assert (strcmp (sad.round[1].headers, second_headers) == 0, "Second round header order wrong: expected %s, got %s\n", second_headers, sad.round[1].headers); soup_test_assert (strcmp (sad.round[1].response, second_response) == 0, "Second round selected auth type wrong: expected %s, got %s\n", second_response, sad.round[1].response); } soup_test_assert_message_status (msg, final_status); g_object_unref (msg); soup_test_session_abort_unref (session); } static void server_callback (SoupServer *server, SoupMessage *msg, const char *path, GHashTable *query, SoupClientContext *context, gpointer data) { soup_message_set_response (msg, "text/plain", SOUP_MEMORY_STATIC, "OK\r\n", 4); soup_message_set_status (msg, SOUP_STATUS_OK); } static gboolean server_basic_auth_callback (SoupAuthDomain *auth_domain, SoupMessage *msg, const char *username, const char *password, gpointer data) { if (strcmp (username, "user") != 0) return FALSE; return strcmp (password, "good-basic") == 0; } static char * server_digest_auth_callback (SoupAuthDomain *auth_domain, SoupMessage *msg, const char *username, gpointer data) { if (strcmp (username, "user") != 0) return NULL; return soup_auth_domain_digest_encode_password ("user", "auth-test", "good"); } static void do_select_auth_test (void) { SoupServer *server; SoupAuthDomain *basic_auth_domain, *digest_auth_domain; SoupURI *uri; g_test_bug ("562339"); /* It doesn't seem to be possible to configure Apache to serve * multiple auth types for a single URL. So we have to use * SoupServer here. We know that SoupServer handles the server * side of this scenario correctly, because we test it against * curl in server-auth-test. */ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD); soup_server_add_handler (server, NULL, server_callback, NULL, NULL); uri = soup_test_server_get_uri (server, "http", NULL); basic_auth_domain = soup_auth_domain_basic_new ( SOUP_AUTH_DOMAIN_REALM, "auth-test", SOUP_AUTH_DOMAIN_ADD_PATH, "/", SOUP_AUTH_DOMAIN_BASIC_AUTH_CALLBACK, server_basic_auth_callback, NULL); soup_server_add_auth_domain (server, basic_auth_domain); digest_auth_domain = soup_auth_domain_digest_new ( SOUP_AUTH_DOMAIN_REALM, "auth-test", SOUP_AUTH_DOMAIN_ADD_PATH, "/", SOUP_AUTH_DOMAIN_DIGEST_AUTH_CALLBACK, server_digest_auth_callback, NULL); soup_server_add_auth_domain (server, digest_auth_domain); debug_printf (1, " Testing with no auth\n"); select_auth_test_one (uri, FALSE, NULL, "Basic, Digest", "Digest", NULL, NULL, SOUP_STATUS_UNAUTHORIZED); debug_printf (1, " Testing with bad password\n"); select_auth_test_one (uri, FALSE, "bad", "Basic, Digest", "Digest", "Basic, Digest", "Digest", SOUP_STATUS_UNAUTHORIZED); debug_printf (1, " Testing with good password\n"); select_auth_test_one (uri, FALSE, "good", "Basic, Digest", "Digest", NULL, NULL, SOUP_STATUS_OK); /* Test with Digest disabled in the client. */ debug_printf (1, " Testing without Digest with no auth\n"); select_auth_test_one (uri, TRUE, NULL, "Basic, Digest", "Basic", NULL, NULL, SOUP_STATUS_UNAUTHORIZED); debug_printf (1, " Testing without Digest with bad password\n"); select_auth_test_one (uri, TRUE, "bad", "Basic, Digest", "Basic", "Basic, Digest", "Basic", SOUP_STATUS_UNAUTHORIZED); debug_printf (1, " Testing without Digest with good password\n"); select_auth_test_one (uri, TRUE, "good-basic", "Basic, Digest", "Basic", NULL, NULL, SOUP_STATUS_OK); /* Now flip the order of the domains, verify that this flips * the order of the headers, and make sure that digest auth * *still* gets used. */ soup_server_remove_auth_domain (server, basic_auth_domain); soup_server_remove_auth_domain (server, digest_auth_domain); soup_server_add_auth_domain (server, digest_auth_domain); soup_server_add_auth_domain (server, basic_auth_domain); debug_printf (1, " Testing flipped with no auth\n"); select_auth_test_one (uri, FALSE, NULL, "Digest, Basic", "Digest", NULL, NULL, SOUP_STATUS_UNAUTHORIZED); debug_printf (1, " Testing flipped with bad password\n"); select_auth_test_one (uri, FALSE, "bad", "Digest, Basic", "Digest", "Digest, Basic", "Digest", SOUP_STATUS_UNAUTHORIZED); debug_printf (1, " Testing flipped with good password\n"); select_auth_test_one (uri, FALSE, "good", "Digest, Basic", "Digest", NULL, NULL, SOUP_STATUS_OK); g_object_unref (basic_auth_domain); g_object_unref (digest_auth_domain); soup_uri_free (uri); soup_test_server_quit_unref (server); } static void sneakily_close_connection (SoupMessage *msg, gpointer user_data) { /* Sneakily close the connection after the response, by * tricking soup-message-io into thinking that had been * the plan all along. */ soup_message_headers_append (msg->response_headers, "Connection", "close"); } static void auth_close_request_started (SoupServer *server, SoupMessage *msg, SoupClientContext *client, gpointer user_data) { g_signal_connect (msg, "wrote-headers", G_CALLBACK (sneakily_close_connection), NULL); } typedef struct { SoupSession *session; SoupMessage *msg; SoupAuth *auth; } AuthCloseData; static gboolean auth_close_idle_authenticate (gpointer user_data) { AuthCloseData *acd = user_data; soup_auth_authenticate (acd->auth, "user", "good-basic"); soup_session_unpause_message (acd->session, acd->msg); g_object_unref (acd->auth); return FALSE; } static void auth_close_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { AuthCloseData *acd = data; soup_session_pause_message (session, msg); acd->auth = g_object_ref (auth); g_idle_add (auth_close_idle_authenticate, acd); } static void do_auth_close_test (void) { SoupServer *server; SoupAuthDomain *basic_auth_domain; SoupURI *uri; AuthCloseData acd; server = soup_test_server_new (SOUP_TEST_SERVER_DEFAULT); soup_server_add_handler (server, NULL, server_callback, NULL, NULL); uri = soup_test_server_get_uri (server, "http", NULL); soup_uri_set_path (uri, "/close"); basic_auth_domain = soup_auth_domain_basic_new ( SOUP_AUTH_DOMAIN_REALM, "auth-test", SOUP_AUTH_DOMAIN_ADD_PATH, "/", SOUP_AUTH_DOMAIN_BASIC_AUTH_CALLBACK, server_basic_auth_callback, NULL); soup_server_add_auth_domain (server, basic_auth_domain); g_object_unref (basic_auth_domain); g_signal_connect (server, "request-started", G_CALLBACK (auth_close_request_started), NULL); acd.session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); g_signal_connect (acd.session, "authenticate", G_CALLBACK (auth_close_authenticate), &acd); acd.msg = soup_message_new_from_uri ("GET", uri); soup_uri_free (uri); soup_session_send_message (acd.session, acd.msg); soup_test_assert_message_status (acd.msg, SOUP_STATUS_OK); g_object_unref (acd.msg); soup_test_session_abort_unref (acd.session); soup_test_server_quit_unref (server); } static gboolean infinite_cancel (gpointer session) { soup_session_abort (session); return FALSE; } static void infinite_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { soup_auth_authenticate (auth, "user", "bad"); } static void do_infinite_auth_test (void) { SoupSession *session; SoupMessage *msg; char *uri; int timeout; SOUP_TEST_SKIP_IF_NO_APACHE; session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); g_signal_connect (session, "authenticate", G_CALLBACK (infinite_authenticate), NULL); uri = g_strconcat (base_uri, "Basic/realm1/", NULL); msg = soup_message_new ("GET", uri); g_free (uri); timeout = g_timeout_add (500, infinite_cancel, session); g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING, "*stuck in infinite loop*"); soup_session_send_message (session, msg); g_test_assert_expected_messages (); soup_test_assert (msg->status_code != SOUP_STATUS_CANCELLED, "Got stuck in loop"); soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED); g_source_remove (timeout); soup_test_session_abort_unref (session); g_object_unref (msg); } static void disappear_request_read (SoupServer *server, SoupMessage *msg, SoupClientContext *context, gpointer user_data) { /* Remove the WWW-Authenticate header if this was a failed attempt */ if (soup_message_headers_get_one (msg->request_headers, "Authorization") && msg->status_code == SOUP_STATUS_UNAUTHORIZED) soup_message_headers_remove (msg->response_headers, "WWW-Authenticate"); } static void disappear_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { int *counter = data; (*counter)++; if (!retrying) soup_auth_authenticate (auth, "user", "bad"); } static void do_disappearing_auth_test (void) { SoupServer *server; SoupAuthDomain *auth_domain; SoupURI *uri; SoupMessage *msg; SoupSession *session; int counter; g_test_bug_base ("https://bugzilla.redhat.com/"); g_test_bug ("916224"); server = soup_test_server_new (FALSE); soup_server_add_handler (server, NULL, server_callback, NULL, NULL); uri = soup_test_server_get_uri (server, "http", NULL); auth_domain = soup_auth_domain_basic_new ( SOUP_AUTH_DOMAIN_REALM, "auth-test", SOUP_AUTH_DOMAIN_ADD_PATH, "/", SOUP_AUTH_DOMAIN_BASIC_AUTH_CALLBACK, server_basic_auth_callback, NULL); soup_server_add_auth_domain (server, auth_domain); g_signal_connect (server, "request-read", G_CALLBACK (disappear_request_read), NULL); session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); counter = 0; g_signal_connect (session, "authenticate", G_CALLBACK (disappear_authenticate), &counter); msg = soup_message_new_from_uri ("GET", uri); soup_session_send_message (session, msg); soup_test_assert (counter <= 2, "Got stuck in loop"); soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED); g_object_unref (msg); soup_test_session_abort_unref (session); g_object_unref (auth_domain); soup_uri_free (uri); soup_test_server_quit_unref (server); } static SoupAuthTest relogin_tests[] = { { "Auth provided via URL, should succeed", "Basic/realm12/", "1", TRUE, "01", SOUP_STATUS_OK }, { "Now should automatically reuse previous auth", "Basic/realm12/", "", FALSE, "1", SOUP_STATUS_OK }, { "Different auth provided via URL for the same realm, should succeed", "Basic/realm12/", "2", TRUE, "2", SOUP_STATUS_OK }, { "Subdir should also automatically reuse auth", "Basic/realm12/subdir/", "", FALSE, "2", SOUP_STATUS_OK }, { "Should fail with no auth", "Basic/realm12/", "4", TRUE, "4", SOUP_STATUS_UNAUTHORIZED }, { "Make sure we've forgotten it", "Basic/realm12/", "", FALSE, "0", SOUP_STATUS_UNAUTHORIZED }, { "Should fail with no auth, fail again with bad password, and give up", "Basic/realm12/", "3", FALSE, "03", SOUP_STATUS_UNAUTHORIZED }, { NULL } }; /* https://bugzilla.gnome.org/show_bug.cgi?id=755617 */ static SoupAuthTest basic_root_pspace_test[] = { { "Auth provided via URL, should succeed", "BasicRoot", "1", TRUE, "01", SOUP_STATUS_OK }, { "Parent dir should automatically reuse auth", "/", "1", FALSE, "1", SOUP_STATUS_OK }, { NULL } }; static void do_batch_tests (gconstpointer data) { const SoupAuthTest *current_tests = data; SoupSession *session; SoupMessage *msg; char *expected, *uristr; SoupURI *base; guint signal; int i; SOUP_TEST_SKIP_IF_NO_APACHE; session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); base = soup_uri_new (base_uri); for (i = 0; current_tests[i].url; i++) { SoupURI *soup_uri = soup_uri_new_with_base (base, current_tests[i].url); debug_printf (1, "Test %d: %s\n", i + 1, current_tests[i].explanation); if (current_tests[i].url_auth) { gchar *username = g_strdup_printf ("user%c", current_tests[i].provided[0]); gchar *password = g_strdup_printf ("realm%c", current_tests[i].provided[0]); soup_uri_set_user (soup_uri, username); soup_uri_set_password (soup_uri, password); g_free (username); g_free (password); } msg = soup_message_new_from_uri (SOUP_METHOD_GET, soup_uri); soup_uri_free (soup_uri); if (!msg) { g_printerr ("auth-test: Could not parse URI\n"); exit (1); } uristr = soup_uri_to_string (soup_message_get_uri (msg), FALSE); debug_printf (1, " GET %s\n", uristr); g_free (uristr); expected = g_strdup (current_tests[i].expected); soup_message_add_status_code_handler ( msg, "got_headers", SOUP_STATUS_UNAUTHORIZED, G_CALLBACK (handler), expected); soup_message_add_status_code_handler ( msg, "got_headers", SOUP_STATUS_OK, G_CALLBACK (handler), expected); signal = g_signal_connect (session, "authenticate", G_CALLBACK (authenticate), (gpointer)¤t_tests[i]); soup_session_send_message (session, msg); g_signal_handler_disconnect (session, signal); soup_test_assert_message_status (msg, current_tests[i].final_status); soup_test_assert (!*expected, "expected %d more round(s)\n", (int)strlen (expected)); g_free (expected); debug_printf (1, "\n"); g_object_unref (msg); } soup_uri_free (base); soup_test_session_abort_unref (session); } static void do_clear_credentials_test (void) { SoupSession *session; SoupAuthManager *manager; char *uri; SOUP_TEST_SKIP_IF_NO_APACHE; session = soup_test_session_new (SOUP_TYPE_SESSION, NULL); uri = g_strconcat (base_uri, "Digest/realm1/", NULL); do_digest_nonce_test (session, "First", uri, TRUE, TRUE, TRUE); manager = SOUP_AUTH_MANAGER (soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER)); soup_auth_manager_clear_cached_credentials (manager); do_digest_nonce_test (session, "Second", uri, TRUE, TRUE, TRUE); g_free (uri); soup_test_session_abort_unref (session); } static void do_message_do_not_use_auth_cache_test (void) { SoupSession *session; SoupAuthManager *manager; SoupMessage *msg; SoupMessageFlags flags; SoupURI *soup_uri; char *uri; SOUP_TEST_SKIP_IF_NO_APACHE; session = soup_test_session_new (SOUP_TYPE_SESSION, NULL); uri = g_strconcat (base_uri, "Digest/realm1/", NULL); /* First check that cached credentials are not used */ do_digest_nonce_test (session, "First", uri, TRUE, TRUE, TRUE); do_digest_nonce_test (session, "Second", uri, TRUE, FALSE, FALSE); do_digest_nonce_test (session, "Third", uri, FALSE, TRUE, TRUE); /* Passing credentials in the URI should always authenticate * no matter whether the cache is used or not */ soup_uri = soup_uri_new (uri); soup_uri_set_user (soup_uri, "user1"); soup_uri_set_password (soup_uri, "realm1"); msg = soup_message_new_from_uri (SOUP_METHOD_GET, soup_uri); flags = soup_message_get_flags (msg); soup_message_set_flags (msg, flags | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE); soup_session_send_message (session, msg); soup_test_assert_message_status (msg, SOUP_STATUS_OK); g_object_unref (msg); soup_uri_free (soup_uri); manager = SOUP_AUTH_MANAGER (soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER)); soup_auth_manager_clear_cached_credentials (manager); /* Now check that credentials are not stored */ do_digest_nonce_test (session, "First", uri, FALSE, TRUE, TRUE); do_digest_nonce_test (session, "Second", uri, TRUE, TRUE, TRUE); do_digest_nonce_test (session, "Third", uri, TRUE, FALSE, FALSE); /* Credentials were stored for uri, but if we set SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE flag, * and we don't have the authenticate signal, it should respond with 401 */ msg = soup_message_new (SOUP_METHOD_GET, uri); flags = soup_message_get_flags (msg); soup_message_set_flags (msg, flags | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE); soup_session_send_message (session, msg); soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED); g_object_unref (msg); g_free (uri); soup_test_session_abort_unref (session); } static void async_no_auth_cache_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, SoupAuth **auth_out) { debug_printf (1, " async_no_auth_cache_authenticate\n"); soup_session_pause_message (session, msg); *auth_out = g_object_ref (auth); g_main_loop_quit (loop); } static void async_no_auth_cache_finished (SoupSession *session, SoupMessage *msg, gpointer user_data) { debug_printf (1, " async_no_auth_cache_finished\n"); g_main_loop_quit (loop); } static void do_async_message_do_not_use_auth_cache_test (void) { SoupSession *session; SoupMessage *msg; char *uri; SoupAuth *auth = NULL; SoupMessageFlags flags; SOUP_TEST_SKIP_IF_NO_APACHE; loop = g_main_loop_new (NULL, TRUE); session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL); uri = g_strconcat (base_uri, "Basic/realm1/", NULL); msg = soup_message_new ("GET", uri); g_free (uri); g_signal_connect (session, "authenticate", G_CALLBACK (async_no_auth_cache_authenticate), &auth); flags = soup_message_get_flags (msg); soup_message_set_flags (msg, flags | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE); g_object_ref (msg); soup_session_queue_message (session, msg, async_no_auth_cache_finished, NULL); g_main_loop_run (loop); soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED); soup_test_assert (auth, "msg didn't get authenticate signal"); soup_auth_authenticate (auth, "user1", "realm1"); g_object_unref (auth); soup_session_unpause_message (session, msg); g_main_loop_run (loop); soup_test_assert_message_status (msg, SOUP_STATUS_OK); soup_test_session_abort_unref (session); g_object_unref (msg); g_main_loop_unref (loop); } static void has_authorization_header_authenticate (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { SoupAuth **saved_auth = data; soup_auth_authenticate (auth, "user1", "realm1"); *saved_auth = g_object_ref (auth); } static void has_authorization_header_authenticate_assert (SoupSession *session, SoupMessage *msg, SoupAuth *auth, gboolean retrying, gpointer data) { soup_test_assert (FALSE, "authenticate emitted unexpectedly"); } static void do_message_has_authorization_header_test (void) { SoupSession *session; SoupMessage *msg; SoupAuthManager *manager; SoupAuth *auth = NULL; char *token; guint auth_id; char *uri; g_test_bug ("775882"); SOUP_TEST_SKIP_IF_NO_APACHE; session = soup_test_session_new (SOUP_TYPE_SESSION, NULL); uri = g_strconcat (base_uri, "Digest/realm1/", NULL); msg = soup_message_new ("GET", uri); auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (has_authorization_header_authenticate), &auth); soup_session_send_message (session, msg); soup_test_assert_message_status (msg, SOUP_STATUS_OK); soup_test_assert (SOUP_IS_AUTH (auth), "Expected a SoupAuth"); token = soup_auth_get_authorization (auth, msg); g_object_unref (auth); g_object_unref (msg); g_signal_handler_disconnect (session, auth_id); manager = SOUP_AUTH_MANAGER (soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER)); soup_auth_manager_clear_cached_credentials (manager); msg = soup_message_new ("GET", uri); soup_message_headers_replace (msg->request_headers, "Authorization", token); auth_id = g_signal_connect (session, "authenticate", G_CALLBACK (has_authorization_header_authenticate_assert), NULL); soup_session_send_message (session, msg); soup_test_assert_message_status (msg, SOUP_STATUS_OK); g_object_unref (msg); /* Check that we can also provide our own Authorization header when not using credentials cache. */ soup_auth_manager_clear_cached_credentials (manager); msg = soup_message_new ("GET", uri); soup_message_headers_replace (msg->request_headers, "Authorization", token); soup_message_set_flags (msg, soup_message_get_flags (msg) | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE); soup_session_send_message (session, msg); soup_test_assert_message_status (msg, SOUP_STATUS_OK); g_object_unref (msg); g_free (token); g_signal_handler_disconnect (session, auth_id); g_free (uri); soup_test_session_abort_unref (session); } int main (int argc, char **argv) { int ret; test_init (argc, argv, NULL); apache_init (); base_uri = "http://127.0.0.1:47524/"; g_test_add_data_func ("/auth/main-tests", main_tests, do_batch_tests); g_test_add_data_func ("/auth/relogin-tests", relogin_tests, do_batch_tests); g_test_add_data_func ("/auth/basic-root-pspec-test", basic_root_pspace_test, do_batch_tests); g_test_add_func ("/auth/pipelined-auth", do_pipelined_auth_test); g_test_add_func ("/auth/digest-expiration", do_digest_expiration_test); g_test_add_func ("/auth/async-auth/good-password", do_async_auth_good_password_test); g_test_add_func ("/auth/async-auth/bad-password", do_async_auth_bad_password_test); g_test_add_func ("/auth/async-auth/no-password", do_async_auth_no_password_test); g_test_add_func ("/auth/select-auth", do_select_auth_test); g_test_add_func ("/auth/auth-close", do_auth_close_test); g_test_add_func ("/auth/infinite-auth", do_infinite_auth_test); g_test_add_func ("/auth/disappearing-auth", do_disappearing_auth_test); g_test_add_func ("/auth/clear-credentials", do_clear_credentials_test); g_test_add_func ("/auth/message-do-not-use-auth-cache", do_message_do_not_use_auth_cache_test); g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test); g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test); ret = g_test_run (); test_cleanup (); return ret; }