summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorncshaw <ncshaw@ibm.com>2021-06-22 16:23:18 -0400
committerncshaw <ncshaw@ibm.com>2021-06-28 15:20:20 -0400
commitf8583bf590d245b1a67d26975199788db596c02f (patch)
tree8274ef15d2b550d170aa1d37b1dc1ce735bb4fbe
parent12cbedd9317cefa4612ce35cd2bb7d4a774b9c67 (diff)
downloadcouchdb-f8583bf590d245b1a67d26975199788db596c02f.tar.gz
Remove case sensitivity for basic auth and modify tests
-rw-r--r--src/couch/src/couch_httpd_auth.erl38
-rw-r--r--test/elixir/test/config/suite.elixir3
-rw-r--r--test/elixir/test/security_validation_test.exs39
3 files changed, 63 insertions, 17 deletions
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index f0ca2d56c..fd420bbb0 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -99,24 +99,28 @@ special_test_authentication_handler(Req) ->
basic_name_pw(Req) ->
AuthorizationHeader = header_value(Req, "Authorization"),
case AuthorizationHeader of
- "Basic " ++ Base64Value ->
- try
- re:split(
- base64:decode(Base64Value),
- ":",
- [{return, list}, {parts, 2}]
- )
- of
- ["_", "_"] ->
- % special name and pass to be logged out
- nil;
- [User, Pass] ->
- {User, Pass};
+ Header when is_list(Header) ->
+ [Basic, Base64Value] = string:split(Header, " "),
+ case string:casefold(Basic) of
+ "basic" ->
+ try re:split(base64:decode(Base64Value), ":",
+ [{return, list}, {parts, 2}]) of
+ ["_", "_"] ->
+ % special name and pass to be logged out
+ nil;
+ [User, Pass] ->
+ {User, Pass};
+ _ ->
+ nil
+ catch
+ error:function_clause ->
+ throw({
+ bad_request,
+ "Authorization header has invalid base64 value"
+ })
+ end;
_ ->
- nil
- catch
- error:function_clause ->
- throw({bad_request, "Authorization header has invalid base64 value"})
+ throw({bad_request, "Authorization header is invalid"})
end;
_ ->
nil
diff --git a/test/elixir/test/config/suite.elixir b/test/elixir/test/config/suite.elixir
index 7d2fc7966..467ef2c34 100644
--- a/test/elixir/test/config/suite.elixir
+++ b/test/elixir/test/config/suite.elixir
@@ -388,6 +388,9 @@
"Ddoc writes with admin and replication contexts",
"Force basic login",
"Jerry can save a document normally",
+ "Jerry with lowercase 'Basic' auth can save a document normally",
+ "Jerry with uppercase 'Basic' auth can save a document normally",
+ "Jerry with mixed case 'Basic' auth can save a document normally",
"Non-admin user cannot save a ddoc",
"Saving document using the wrong credentials",
"_session API",
diff --git a/test/elixir/test/security_validation_test.exs b/test/elixir/test/security_validation_test.exs
index dddf7a7b8..cfab242b4 100644
--- a/test/elixir/test/security_validation_test.exs
+++ b/test/elixir/test/security_validation_test.exs
@@ -25,6 +25,18 @@ defmodule SecurityValidationTest do
spike: [
# spike:dog
authorization: "Basic c3Bpa2U6ZG9n"
+ ],
+ jerry_lowercase_basic: [
+ # jerry:mouse with lowercase 'Basic'
+ authorization: "basic amVycnk6bW91c2U="
+ ],
+ jerry_uppercase_basic: [
+ # jerry:mouse with uppercase 'Basic'
+ authorization: "BASIC amVycnk6bW91c2U="
+ ],
+ jerry_mixed_case_basic: [
+ # jerry:mouse with mixed case 'Basic'
+ authorization: "BAsIc amVycnk6bW91c2U="
]
}
@@ -113,6 +125,33 @@ defmodule SecurityValidationTest do
end
@tag :with_db
+ test "Jerry with lowercase 'Basic' auth can save a document normally", context do
+ headers = @auth_headers[:jerry_lowercase_basic]
+ assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry"
+
+ doc = %{_id: "testdoc1", foo: 1, author: "jerry"}
+ assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+ end
+
+ @tag :with_db
+ test "Jerry with uppercase 'Basic' auth can save a document normally", context do
+ headers = @auth_headers[:jerry_uppercase_basic]
+ assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry"
+
+ doc = %{_id: "testdoc2", foo: 1, author: "jerry"}
+ assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+ end
+
+ @tag :with_db
+ test "Jerry with mixed case 'Basic' auth can save a document normally", context do
+ headers = @auth_headers[:jerry_mixed_case_basic]
+ assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry"
+
+ doc = %{_id: "testdoc3", foo: 1, author: "jerry"}
+ assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+ end
+
+ @tag :with_db
test "Non-admin user cannot save a ddoc", context do
headers = @auth_headers[:jerry]
resp = Couch.post("/#{context[:db_name]}", body: @ddoc, headers: headers)