test/unit/authn.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

/* Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "../httpdunit.h"

#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"

/*
 * Test Fixture -- runs once per test
 */

static apr_pool_t  *g_pool;
static request_rec *g_request;

static void authn_setup(void)
{
    if (apr_pool_create(&g_pool, NULL) != APR_SUCCESS) {
        exit(1);
    }

    /* Stub out just enough of a request_req to get the tests working.
     * Unfortunately this couples us to implementation details in the code being
     * tested, but the logic to get a "real" request_rec requires spinning up
     * half of the world. */
    g_request = apr_pcalloc(g_pool, sizeof(*g_request));
    if (!g_request) {
        exit(1);
    }

    g_request->pool = g_pool;
    g_request->headers_in = apr_table_make(g_pool, 1);

    if (!g_request->headers_in) {
        exit(1);
    }
}

static void authn_teardown(void)
{
    apr_pool_destroy(g_pool);
}

/*
 * ap_get_basic_auth_components()
 */

static const char * const basic_auth_cases[][3] = {
    /*
     * case[0] - Authorization header value
     * case[1] - expected username
     * case[2] - expected password
     */
    { "Basic Ym9iOm15cGFzcw==",    "bob", "mypass" },
    { "Basic    Ym9iOm15cGFzcw==", "bob", "mypass" },
    { "Basic Ym9iOg==",            "bob", "" },
    { "Basic Om15cGFzcw==",        "",    "mypass" },
    { "Basic Og==",                "",    "" },

    /*
     * Dubious compatibility cases
     */

    /* HT is disallowed per 7235, but ap_get_basic_auth_pw() allowed it */
    { "Basic \tYm9iOm15cGFzcw==",  "bob", "mypass" },
    /* username without colon separator, technically disallowed per 2617 */
    { "Basic Ym9i",                "bob", "" },
    /* no data at all, technically disallowed per 2617/7235 */
    { "Basic ",                    "",    "" },
    { "Basic",                     "",    "" },
    /* completely invalid junk, disallowed per 2617/7235 */
    { "Basic ?*J#kd92%$@",         "",    "" },
};
static const size_t basic_auth_cases_len = sizeof(basic_auth_cases) /
                                           sizeof(basic_auth_cases[0]);

HTTPD_START_LOOP_TEST(test_get_basic_auth_components_correctly_decodes_credentials, basic_auth_cases_len)
{
    const char *header_val    = basic_auth_cases[_i][0];
    const char *expected_user = basic_auth_cases[_i][1];
    const char *expected_pass = basic_auth_cases[_i][2];

    apr_status_t status;
    const char *username;
    const char *password;

    apr_table_setn(g_request->headers_in, "Authorization", header_val);

    status = ap_get_basic_auth_components(g_request, &username, &password);

    ck_assert_int_eq(status, APR_SUCCESS);
    ck_assert_str_eq(username, expected_user);
    ck_assert_str_eq(password, expected_pass);
}
END_TEST

START_TEST(test_get_basic_auth_components_fails_without_Authorization_header)
{
    apr_status_t status;

    status = ap_get_basic_auth_components(g_request, NULL, NULL);
    ck_assert_int_eq(status, APR_EINVAL);
}
END_TEST

START_TEST(test_get_basic_auth_components_fails_with_non_Basic_credentials)
{
    apr_status_t status;

    apr_table_setn(g_request->headers_in, "Authorization",
                   "Digest Ym9iOm15cGFzcw==");

    status = ap_get_basic_auth_components(g_request, NULL, NULL);
    ck_assert_int_eq(status, APR_EINVAL);
}
END_TEST

START_TEST(test_get_basic_auth_components_uses_Proxy_Authorization_for_proxied_requests)
{
    apr_status_t status;
    const char *username;
    const char *password;

    g_request->proxyreq = PROXYREQ_PROXY;
    apr_table_setn(g_request->headers_in, "Proxy-Authorization",
                   "Basic Ym9iOm15cGFzcw==");

    status = ap_get_basic_auth_components(g_request, &username, &password);

    ck_assert_int_eq(status, APR_SUCCESS);
    ck_assert_str_eq(username, "bob");
    ck_assert_str_eq(password, "mypass");
}
END_TEST

/*
 * Test Case Boilerplate
 */
HTTPD_BEGIN_TEST_CASE_WITH_FIXTURE(authn, authn_setup, authn_teardown)
#include "test/unit/authn.tests"
HTTPD_END_TEST_CASE