diff options
author | ncshaw <ncshaw@ibm.com> | 2021-06-22 16:23:18 -0400 |
---|---|---|
committer | ncshaw <ncshaw@ibm.com> | 2021-06-28 15:20:20 -0400 |
commit | f8583bf590d245b1a67d26975199788db596c02f (patch) | |
tree | 8274ef15d2b550d170aa1d37b1dc1ce735bb4fbe | |
parent | 12cbedd9317cefa4612ce35cd2bb7d4a774b9c67 (diff) | |
download | couchdb-f8583bf590d245b1a67d26975199788db596c02f.tar.gz |
Remove case sensitivity for basic auth and modify tests
-rw-r--r-- | src/couch/src/couch_httpd_auth.erl | 38 | ||||
-rw-r--r-- | test/elixir/test/config/suite.elixir | 3 | ||||
-rw-r--r-- | test/elixir/test/security_validation_test.exs | 39 |
3 files changed, 63 insertions, 17 deletions
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index f0ca2d56c..fd420bbb0 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -99,24 +99,28 @@ special_test_authentication_handler(Req) -> basic_name_pw(Req) -> AuthorizationHeader = header_value(Req, "Authorization"), case AuthorizationHeader of - "Basic " ++ Base64Value -> - try - re:split( - base64:decode(Base64Value), - ":", - [{return, list}, {parts, 2}] - ) - of - ["_", "_"] -> - % special name and pass to be logged out - nil; - [User, Pass] -> - {User, Pass}; + Header when is_list(Header) -> + [Basic, Base64Value] = string:split(Header, " "), + case string:casefold(Basic) of + "basic" -> + try re:split(base64:decode(Base64Value), ":", + [{return, list}, {parts, 2}]) of + ["_", "_"] -> + % special name and pass to be logged out + nil; + [User, Pass] -> + {User, Pass}; + _ -> + nil + catch + error:function_clause -> + throw({ + bad_request, + "Authorization header has invalid base64 value" + }) + end; _ -> - nil - catch - error:function_clause -> - throw({bad_request, "Authorization header has invalid base64 value"}) + throw({bad_request, "Authorization header is invalid"}) end; _ -> nil diff --git a/test/elixir/test/config/suite.elixir b/test/elixir/test/config/suite.elixir index 7d2fc7966..467ef2c34 100644 --- a/test/elixir/test/config/suite.elixir +++ b/test/elixir/test/config/suite.elixir @@ -388,6 +388,9 @@ "Ddoc writes with admin and replication contexts", "Force basic login", "Jerry can save a document normally", + "Jerry with lowercase 'Basic' auth can save a document normally", + "Jerry with uppercase 'Basic' auth can save a document normally", + "Jerry with mixed case 'Basic' auth can save a document normally", "Non-admin user cannot save a ddoc", "Saving document using the wrong credentials", "_session API", diff --git a/test/elixir/test/security_validation_test.exs b/test/elixir/test/security_validation_test.exs index dddf7a7b8..cfab242b4 100644 --- a/test/elixir/test/security_validation_test.exs +++ b/test/elixir/test/security_validation_test.exs @@ -25,6 +25,18 @@ defmodule SecurityValidationTest do spike: [ # spike:dog authorization: "Basic c3Bpa2U6ZG9n" + ], + jerry_lowercase_basic: [ + # jerry:mouse with lowercase 'Basic' + authorization: "basic amVycnk6bW91c2U=" + ], + jerry_uppercase_basic: [ + # jerry:mouse with uppercase 'Basic' + authorization: "BASIC amVycnk6bW91c2U=" + ], + jerry_mixed_case_basic: [ + # jerry:mouse with mixed case 'Basic' + authorization: "BAsIc amVycnk6bW91c2U=" ] } @@ -113,6 +125,33 @@ defmodule SecurityValidationTest do end @tag :with_db + test "Jerry with lowercase 'Basic' auth can save a document normally", context do + headers = @auth_headers[:jerry_lowercase_basic] + assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry" + + doc = %{_id: "testdoc1", foo: 1, author: "jerry"} + assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"] + end + + @tag :with_db + test "Jerry with uppercase 'Basic' auth can save a document normally", context do + headers = @auth_headers[:jerry_uppercase_basic] + assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry" + + doc = %{_id: "testdoc2", foo: 1, author: "jerry"} + assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"] + end + + @tag :with_db + test "Jerry with mixed case 'Basic' auth can save a document normally", context do + headers = @auth_headers[:jerry_mixed_case_basic] + assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry" + + doc = %{_id: "testdoc3", foo: 1, author: "jerry"} + assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"] + end + + @tag :with_db test "Non-admin user cannot save a ddoc", context do headers = @auth_headers[:jerry] resp = Couch.post("/#{context[:db_name]}", body: @ddoc, headers: headers) |