diff options
author | Ronny <ronny@apache.org> | 2022-08-25 19:29:22 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-25 19:29:22 +0200 |
commit | ea382cf28111c2b31ddaaf9a04be20a34df454ec (patch) | |
tree | f2c868d8a3b5536b713a10acc4f76b2ff731fb19 | |
parent | bc3242bc8cdf1b4e50da52c4d6c8ac2aeface4cb (diff) | |
download | couchdb-ea382cf28111c2b31ddaaf9a04be20a34df454ec.tar.gz |
Refactor hash algorithms test
The test doesn't check if the hash algorithm is supported by the
erlang vm. The test for supported hash algorithms was only missing
in the test itself and not in CouchDB.
Refactor test and verify hash names during test runs.
-rw-r--r-- | src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl | 25 | ||||
-rw-r--r-- | src/couch/include/couch_db.hrl | 2 | ||||
-rw-r--r-- | src/couch/src/couch_httpd_auth.erl | 35 | ||||
-rw-r--r-- | src/couch/src/couch_util.erl | 31 |
4 files changed, 49 insertions, 44 deletions
diff --git a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl index 3d872aa46..c78427d24 100644 --- a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl +++ b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl @@ -18,8 +18,8 @@ -define(ADM_USER, "adm_user"). -define(ADM_PASS, "adm_pass"). --define(ALLOWED_HASHES, "sha256, sha512, sha, blake2s"). --define(DISALLOWED_HASHES, "md4, md5, ripemd160"). +-define(WORKING_HASHES, "sha256, sha512, sha, blake2s"). +-define(FAILING_HASHES, "md4, md5, ripemd160"). hash_algorithms_test_() -> { @@ -43,12 +43,13 @@ setup() -> config:set("admins", ?ADM_USER, ?b2l(Hashed), false), config:set("chttpd_auth", "secret", NewSecret, false), config:set("chttpd", "require_valid_user", "true", false), - config:set("chttpd_auth", "hash_algorithms", ?ALLOWED_HASHES, false), - AllowedHashes = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [ + config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false), + HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [ trim, {return, binary} ]), - DisallowedHashes = re:split(?DISALLOWED_HASHES, "\\s*,\\s*", [trim, {return, binary}]), - {Ctx, {AllowedHashes, DisallowedHashes}}. + HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]), + SupportedHashAlgorithms = crypto:supports(hashs), + {Ctx, {HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}}. teardown({Ctx, _}) -> config:delete("chttpd_auth", "hash_algorithms", false), @@ -83,7 +84,7 @@ test_hash_algorithm([], _) -> test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Status) -> CurrentTime = couch_httpd_auth:make_cookie_time(), Cookie = make_auth_session_string( - erlang:binary_to_existing_atom(DefaultHashAlgorithm), + DefaultHashAlgorithm, ?ADM_USER, get_full_secret(?ADM_USER), CurrentTime @@ -92,8 +93,10 @@ test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Sta ?assertEqual(Status, ReqStatus), test_hash_algorithm(DecodingHashAlgorithmsList, Status). -test_hash_algorithms_should_work({_, {AllowedHashes, _}} = _) -> - test_hash_algorithm(AllowedHashes, 200). +test_hash_algorithms_should_work({_, {WorkingHashes, _, SupportedHashAlgorithms}} = _) -> + Hashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms), + test_hash_algorithm(Hashes, 200). -test_hash_algorithms_should_fail({_, {_, DisallowedHashes}} = _) -> - test_hash_algorithm(DisallowedHashes, 401). +test_hash_algorithms_should_fail({_, {_, FailingHashes, SupportedHashAlgorithms}} = _) -> + Hashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms), + test_hash_algorithm(Hashes, 401). diff --git a/src/couch/include/couch_db.hrl b/src/couch/include/couch_db.hrl index 233836d16..e70706a7f 100644 --- a/src/couch/include/couch_db.hrl +++ b/src/couch/include/couch_db.hrl @@ -15,6 +15,8 @@ -define(DESIGN_DOC_PREFIX, "_design/"). -define(DEFAULT_COMPRESSION, snappy). +-define(DEFAULT_HASH_ALGORITHM, sha256). + -define(MIN_STR, <<"">>). -define(MAX_STR, <<255>>). % illegal utf string diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index e2cb02f8c..b3c984174 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -16,8 +16,6 @@ -include_lib("couch/include/couch_db.hrl"). --define(DEFAULT_HASH_ALGORITHM, sha256). - -export([party_mode_handler/1]). -export([ @@ -298,7 +296,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} = Req, AuthModule) -> end, % Verify expiry and hash CurrentTime = make_cookie_time(), - HashAlgorithms = get_config_hash_algorithms(), + HashAlgorithms = couch_util:get_config_hash_algorithms(), case chttpd_util:get_chttpd_auth_config("secret") of undefined -> couch_log:debug("cookie auth secret is not set", []), @@ -373,7 +371,7 @@ cookie_auth_header(_Req, _Headers) -> cookie_auth_cookie(Req, User, Secret, TimeStamp) -> SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16), - [HashAlgorithm | _] = get_config_hash_algorithms(), + [HashAlgorithm | _] = couch_util:get_config_hash_algorithms(), Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData), mochiweb_cookies:cookie( "AuthSession", @@ -702,32 +700,3 @@ authentication_warning(#httpd{mochi_req = Req}, User) -> "~p: Authentication failed for user ~s from ~s", [?MODULE, User, Peer] ). - -verify_hash_names(HashAlgorithms, SupportedHashFun) -> - verify_hash_names(HashAlgorithms, SupportedHashFun, []). -verify_hash_names([], _, HashNames) -> - lists:reverse(HashNames); -verify_hash_names([H | T], SupportedHashFun, HashNames) -> - try - HashAtom = binary_to_existing_atom(H), - Result = - case lists:member(HashAtom, SupportedHashFun) of - true -> [HashAtom | HashNames]; - false -> HashNames - end, - verify_hash_names(T, SupportedHashFun, Result) - catch - error:badarg -> - couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]), - verify_hash_names(T, SupportedHashFun, HashNames) - end. - --spec get_config_hash_algorithms() -> list(atom()). -get_config_hash_algorithms() -> - SupportedHashAlgorithms = crypto:supports(hashs), - HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"), - HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]), - case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of - [] -> [?DEFAULT_HASH_ALGORITHM]; - VerifiedHashNames -> VerifiedHashNames - end. diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl index 84691d14e..e916bbc69 100644 --- a/src/couch/src/couch_util.erl +++ b/src/couch/src/couch_util.erl @@ -43,6 +43,8 @@ -export([set_process_priority/2]). -export([hmac/3]). -export([version_to_binary/1]). +-export([verify_hash_names/2]). +-export([get_config_hash_algorithms/0]). -include_lib("couch/include/couch_db.hrl"). @@ -829,3 +831,32 @@ hex(X) -> 16#6530, 16#6531, 16#6532, 16#6533, 16#6534, 16#6535, 16#6536, 16#6537, 16#6538, 16#6539, 16#6561, 16#6562, 16#6563, 16#6564, 16#6565, 16#6566, 16#6630, 16#6631, 16#6632, 16#6633, 16#6634, 16#6635, 16#6636, 16#6637, 16#6638, 16#6639, 16#6661, 16#6662, 16#6663, 16#6664, 16#6665, 16#6666 }). + +verify_hash_names(HashAlgorithms, SupportedHashes) -> + verify_hash_names(HashAlgorithms, SupportedHashes, []). +verify_hash_names([], _, HashNames) -> + lists:reverse(HashNames); +verify_hash_names([H | T], SupportedHashes, HashNames) -> + try + HashAtom = binary_to_existing_atom(H), + Result = + case lists:member(HashAtom, SupportedHashes) of + true -> [HashAtom | HashNames]; + false -> HashNames + end, + verify_hash_names(T, SupportedHashes, Result) + catch + error:badarg -> + couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]), + verify_hash_names(T, SupportedHashes, HashNames) + end. + +-spec get_config_hash_algorithms() -> list(atom()). +get_config_hash_algorithms() -> + SupportedHashes = crypto:supports(hashs), + HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"), + HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]), + case verify_hash_names(HashAlgorithms, SupportedHashes) of + [] -> [?DEFAULT_HASH_ALGORITHM]; + VerifiedHashNames -> VerifiedHashNames + end. |