Electroneum
http.cpp
Go to the documentation of this file.
1 // Copyrights(c) 2017-2021, The Electroneum Project
2 // Copyrights(c) 2014-2019, The Monero Project
3 //
4 // All rights reserved.
5 //
6 // Redistribution and use in source and binary forms, with or without modification, are
7 // permitted provided that the following conditions are met:
8 //
9 // 1. Redistributions of source code must retain the above copyright notice, this list of
10 // conditions and the following disclaimer.
11 //
12 // 2. Redistributions in binary form must reproduce the above copyright notice, this list
13 // of conditions and the following disclaimer in the documentation and/or other
14 // materials provided with the distribution.
15 //
16 // 3. Neither the name of the copyright holder nor the names of its contributors may be
17 // used to endorse or promote products derived from this software without specific
18 // prior written permission.
19 //
20 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
21 // EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
22 // MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
23 // THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 // PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27 // STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
28 // THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 
30 #include "gtest/gtest.h"
31 #include "net/http_auth.h"
32 
33 #include <boost/algorithm/string/predicate.hpp>
34 #include <boost/algorithm/string/join.hpp>
35 #include <boost/fusion/adapted/std_pair.hpp>
36 #include <boost/range/algorithm/find_if.hpp>
37 #include <boost/range/iterator_range_core.hpp>
38 #include <boost/spirit/include/karma_char.hpp>
39 #include <boost/spirit/include/karma_list.hpp>
40 #include <boost/spirit/include/karma_generate.hpp>
41 #include <boost/spirit/include/karma_right_alignment.hpp>
42 #include <boost/spirit/include/karma_sequence.hpp>
43 #include <boost/spirit/include/karma_string.hpp>
44 #include <boost/spirit/include/karma_uint.hpp>
45 #include <boost/spirit/include/qi_alternative.hpp>
46 #include <boost/spirit/include/qi_char.hpp>
47 #include <boost/spirit/include/qi_char_class.hpp>
48 #include <boost/spirit/include/qi_difference.hpp>
49 #include <boost/spirit/include/qi_eoi.hpp>
50 #include <boost/spirit/include/qi_list.hpp>
51 #include <boost/spirit/include/qi_parse.hpp>
52 #include <boost/spirit/include/qi_plus.hpp>
53 #include <boost/spirit/include/qi_sequence.hpp>
54 #include <boost/spirit/include/qi_string.hpp>
55 #include <cstdint>
56 #include <iterator>
57 #include <string>
58 #include <unordered_map>
59 #include <utility>
60 #include <vector>
61 
62 #include "md5_l.h"
63 #include "string_tools.h"
64 #include "crypto/crypto.h"
65 
66 namespace {
67 namespace http = epee::net_utils::http;
68 using fields = std::unordered_map<std::string, std::string>;
69 using auth_responses = std::vector<fields>;
70 
71 void rng(size_t len, uint8_t *ptr)
72 {
73  crypto::rand(len, ptr);
74 }
75 
76 std::string quoted(std::string str)
77 {
78  str.insert(str.begin(), '"');
79  str.push_back('"');
80  return str;
81 }
82 
83 void write_fields(std::string& out, const fields& args)
84 {
85  namespace karma = boost::spirit::karma;
86  karma::generate(
87  std::back_inserter(out),
88  (karma::string << " = " << karma::string) % " , ",
89  args);
90 }
91 
92 std::string write_fields(const fields& args)
93 {
94  std::string out{};
95  write_fields(out, args);
96  return out;
97 }
98 
99 http::http_request_info make_request(const fields& args)
100 {
101  std::string out{" DIGEST "};
102  write_fields(out, args);
103 
104  http::http_request_info request{};
105  request.m_http_method_str = "NOP";
106  request.m_header_info.m_etc_fields.push_back(
107  std::make_pair(u8"authorization", std::move(out))
108  );
109  return request;
110 }
111 
112 http::http_response_info make_response(const auth_responses& choices)
113 {
115  for (const auto& choice : choices)
116  {
117  std::string out{" DIGEST "};
118  write_fields(out, choice);
119 
120  response.m_header_info.m_etc_fields.push_back(
121  std::make_pair(u8"WWW-authenticate", std::move(out))
122  );
123  }
124  return response;
125 }
126 
127 bool has_same_fields(const auth_responses& in)
128 {
129  const std::vector<std::string> check{u8"nonce", u8"qop", u8"realm", u8"stale"};
130 
131  auto current = in.begin();
132  const auto end = in.end();
133  if (current == end)
134  return true;
135 
136  ++current;
137  for ( ; current != end; ++current )
138  {
139  for (const auto& field : check)
140  {
141  const std::string& expected = in[0].at(field);
142  const std::string& actual = current->at(field);
143  EXPECT_EQ(expected, actual);
144  if (expected != actual)
145  return false;
146  }
147  }
148  return true;
149 }
150 
151 bool is_unauthorized(const http::http_response_info& response)
152 {
153  EXPECT_EQ(401, response.m_response_code);
154  EXPECT_STREQ(u8"Unauthorized", response.m_response_comment.c_str());
155  EXPECT_STREQ(u8"text/html", response.m_mime_tipe.c_str());
156  return response.m_response_code == 401 &&
157  response.m_response_comment == u8"Unauthorized" &&
158  response.m_mime_tipe == u8"text/html";
159 }
160 
161 fields parse_fields(const std::string& value)
162 {
163  namespace qi = boost::spirit::qi;
164 
165  fields out{};
166  const bool rc = qi::parse(
167  value.begin(), value.end(),
168  qi::lit(u8"Digest ") >> ((
169  +qi::ascii::alpha >>
170  qi::lit('=') >> (
171  (qi::lit('"') >> +(qi::ascii::char_ - '"') >> qi::lit('"')) |
172  +(qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}"))
173  )
174  ) % ','
175  ) >> qi::eoi,
176  out
177  );
178  if (!rc)
179  throw std::runtime_error{"Bad field given in HTTP header"};
180 
181  return out;
182 }
183 
184 auth_responses parse_response(const http::http_response_info& response)
185 {
186  auth_responses result{};
187 
188  const auto end = response.m_additional_fields.end();
189  for (auto current = response.m_additional_fields.begin();; ++current)
190  {
191  current = std::find_if(current, end, [] (const std::pair<std::string, std::string>& field) {
192  return boost::equals(u8"WWW-authenticate", field.first);
193  });
194 
195  if (current == end)
196  return result;
197 
198  result.push_back(parse_fields(current->second));
199  }
200  return result;
201 }
202 
203 std::string md5_hex(const std::string& in)
204 {
205  md5::MD5_CTX ctx{};
206  md5::MD5Init(std::addressof(ctx));
207  md5::MD5Update(
208  std::addressof(ctx),
209  reinterpret_cast<const std::uint8_t*>(in.data()),
210  in.size()
211  );
212 
213  std::array<std::uint8_t, 16> digest{{}};
214  md5::MD5Final(digest.data(), std::addressof(ctx));
215  return epee::string_tools::pod_to_hex(digest);
216 }
217 
218 std::string get_a1(const http::login& user, const fields& src)
219 {
220  const std::string& realm = src.at(u8"realm");
221  return boost::join(
222  std::vector<std::string>{user.username, realm, std::string(user.password.data(), user.password.size())}, u8":"
223  );
224 }
225 
226 std::string get_a1(const http::login& user, const auth_responses& responses)
227 {
228  return get_a1(user, responses.at(0));
229 }
230 
231 std::string get_a1_sess(const http::login& user, const std::string& cnonce, const auth_responses& responses)
232 {
233  const std::string& nonce = responses.at(0).at(u8"nonce");
234  return boost::join(
235  std::vector<std::string>{md5_hex(get_a1(user, responses)), nonce, cnonce}, u8":"
236  );
237 }
238 
239 std::string get_a2(const std::string& uri)
240 {
241  return boost::join(std::vector<std::string>{"NOP", uri}, u8":");
242 }
243 
245 {
246  namespace karma = boost::spirit::karma;
248  karma::generate(
249  std::back_inserter(out),
250  karma::right_align(8, '0')[karma::uint_generator<std::uint32_t, 16>{}],
251  count
252  );
253 
254  return out;
255 }
256 }
257 
258 TEST(HTTP_Server_Auth, NotRequired)
259 {
260  http::http_server_auth auth{}; // no rng here
261  EXPECT_FALSE(auth.get_response(http::http_request_info{}));
262 }
263 
264 TEST(HTTP_Server_Auth, MissingAuth)
265 {
266  http::http_server_auth auth{{"foo", "bar"}, rng};
267  EXPECT_TRUE(bool(auth.get_response(http::http_request_info{})));
268  {
269  http::http_request_info request{};
270  request.m_header_info.m_etc_fields.push_back({"\xFF", "\xFF"});
271  EXPECT_TRUE(bool(auth.get_response(request)));
272  }
273 }
274 
275 TEST(HTTP_Server_Auth, BadSyntax)
276 {
277  http::http_server_auth auth{{"foo", "bar"}, rng};
278  EXPECT_TRUE(bool(auth.get_response(make_request({{u8"algorithm", "fo\xFF"}}))));
279  EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce", "\"000\xFF\""}}))));
280  EXPECT_TRUE(bool(auth.get_response(make_request({{u8"cnonce \xFF =", "\"000\xFF\""}}))));
281  EXPECT_TRUE(bool(auth.get_response(make_request({{u8" \xFF cnonce", "\"000\xFF\""}}))));
282 }
283 
284 TEST(HTTP_Server_Auth, MD5)
285 {
286  http::login user{"foo", "bar"};
287  http::http_server_auth auth{user, rng};
288 
289  const auto response = auth.get_response(make_request(fields{}));
290  ASSERT_TRUE(bool(response));
291  EXPECT_TRUE(is_unauthorized(*response));
292 
293  const auto fields = parse_response(*response);
294  ASSERT_LE(2u, fields.size());
295  EXPECT_TRUE(has_same_fields(fields));
296 
297  const std::string& nonce = fields[0].at(u8"nonce");
298  EXPECT_EQ(24, nonce.size());
299 
300  const std::string uri{"/some_foo_thing"};
301 
302  const std::string a1 = get_a1(user, fields);
303  const std::string a2 = get_a2(uri);
304 
305  const std::string auth_code = md5_hex(
306  boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
307  );
308 
309  const auto request = make_request({
310  {u8"nonce", quoted(nonce)},
311  {u8"realm", quoted(fields[0].at(u8"realm"))},
312  {u8"response", quoted(auth_code)},
313  {u8"uri", quoted(uri)},
314  {u8"username", quoted(user.username)}
315  });
316 
317  EXPECT_FALSE(bool(auth.get_response(request)));
318 
319  const auto response2 = auth.get_response(request);
320  ASSERT_TRUE(bool(response2));
321  EXPECT_TRUE(is_unauthorized(*response2));
322 
323  const auto fields2 = parse_response(*response2);
324  ASSERT_LE(2u, fields2.size());
325  EXPECT_TRUE(has_same_fields(fields2));
326 
327  EXPECT_NE(nonce, fields2[0].at(u8"nonce"));
328  EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
329 }
330 
331 TEST(HTTP_Server_Auth, MD5_sess)
332 {
333  constexpr const char cnonce[] = "not a good cnonce";
334 
335  http::login user{"foo", "bar"};
336  http::http_server_auth auth{user, rng};
337 
338  const auto response = auth.get_response(make_request(fields{}));
339  ASSERT_TRUE(bool(response));
340  EXPECT_TRUE(is_unauthorized(*response));
341 
342  const auto fields = parse_response(*response);
343  ASSERT_LE(2u, fields.size());
344  EXPECT_TRUE(has_same_fields(fields));
345 
346  const std::string& nonce = fields[0].at(u8"nonce");
347  EXPECT_EQ(24, nonce.size());
348 
349  const std::string uri{"/some_foo_thing"};
350 
351  const std::string a1 = get_a1_sess(user, cnonce, fields);
352  const std::string a2 = get_a2(uri);
353 
354  const std::string auth_code = md5_hex(
355  boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
356  );
357 
358  const auto request = make_request({
359  {u8"algorithm", u8"md5-sess"},
360  {u8"cnonce", quoted(cnonce)},
361  {u8"nonce", quoted(nonce)},
362  {u8"realm", quoted(fields[0].at(u8"realm"))},
363  {u8"response", quoted(auth_code)},
364  {u8"uri", quoted(uri)},
365  {u8"username", quoted(user.username)}
366  });
367 
368  EXPECT_FALSE(bool(auth.get_response(request)));
369 
370  const auto response2 = auth.get_response(request);
371  ASSERT_TRUE(bool(response2));
372  EXPECT_TRUE(is_unauthorized(*response2));
373 
374  const auto fields2 = parse_response(*response2);
375  ASSERT_LE(2u, fields2.size());
376  EXPECT_TRUE(has_same_fields(fields2));
377 
378  EXPECT_NE(nonce, fields2[0].at(u8"nonce"));
379  EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
380 }
381 
382 TEST(HTTP_Server_Auth, MD5_auth)
383 {
384  constexpr const char cnonce[] = "not a nonce";
385  constexpr const char qop[] = "auth";
386 
387  http::login user{"foo", "bar"};
388  http::http_server_auth auth{user, rng};
389 
390  const auto response = auth.get_response(make_request(fields{}));
391  ASSERT_TRUE(bool(response));
392  EXPECT_TRUE(is_unauthorized(*response));
393 
394  const auto parsed = parse_response(*response);
395  ASSERT_LE(2u, parsed.size());
396  EXPECT_TRUE(has_same_fields(parsed));
397 
398  const std::string& nonce = parsed[0].at(u8"nonce");
399  EXPECT_EQ(24, nonce.size());
400 
401  const std::string uri{"/some_foo_thing"};
402 
403  const std::string a1 = get_a1(user, parsed);
404  const std::string a2 = get_a2(uri);
405  std::string nc = get_nc(1);
406 
407  const auto generate_auth = [&] {
408  return md5_hex(
409  boost::join(
410  std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, qop, md5_hex(a2)}, u8":"
411  )
412  );
413  };
414 
415  fields args{
416  {u8"algorithm", quoted(u8"md5")},
417  {u8"cnonce", quoted(cnonce)},
418  {u8"nc", nc},
419  {u8"nonce", quoted(nonce)},
420  {u8"qop", quoted(qop)},
421  {u8"realm", quoted(parsed[0].at(u8"realm"))},
422  {u8"response", quoted(generate_auth())},
423  {u8"uri", quoted(uri)},
424  {u8"username", quoted(user.username)}
425  };
426 
427  const auto request = make_request(args);
428  EXPECT_FALSE(bool(auth.get_response(request)));
429 
430  for (unsigned i = 2; i < 20; ++i)
431  {
432  nc = get_nc(i);
433  args.at(u8"nc") = nc;
434  args.at(u8"response") = quoted(generate_auth());
435  EXPECT_FALSE(auth.get_response(make_request(args)));
436  }
437 
438  const auto replay = auth.get_response(request);
439  ASSERT_TRUE(bool(replay));
440  EXPECT_TRUE(is_unauthorized(*replay));
441 
442  const auto parsed_replay = parse_response(*replay);
443  ASSERT_LE(2u, parsed_replay.size());
444  EXPECT_TRUE(has_same_fields(parsed_replay));
445 
446  EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce"));
447  EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
448 }
449 
450 TEST(HTTP_Server_Auth, MD5_sess_auth)
451 {
452  constexpr const char cnonce[] = "not a nonce";
453  constexpr const char qop[] = "auth";
454 
455  http::login user{"foo", "bar"};
456  http::http_server_auth auth{user, rng};
457 
458  const auto response = auth.get_response(make_request(fields{}));
459  ASSERT_TRUE(bool(response));
460  EXPECT_TRUE(is_unauthorized(*response));
461 
462  const auto parsed = parse_response(*response);
463  ASSERT_LE(2u, parsed.size());
464  EXPECT_TRUE(has_same_fields(parsed));
465 
466  const std::string& nonce = parsed[0].at(u8"nonce");
467  EXPECT_EQ(24, nonce.size());
468 
469  const std::string uri{"/some_foo_thing"};
470 
471  const std::string a1 = get_a1_sess(user, cnonce, parsed);
472  const std::string a2 = get_a2(uri);
473  std::string nc = get_nc(1);
474 
475  const auto generate_auth = [&] {
476  return md5_hex(
477  boost::join(
478  std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, qop, md5_hex(a2)}, u8":"
479  )
480  );
481  };
482 
483  fields args{
484  {u8"algorithm", u8"md5-sess"},
485  {u8"cnonce", quoted(cnonce)},
486  {u8"nc", nc},
487  {u8"nonce", quoted(nonce)},
488  {u8"qop", qop},
489  {u8"realm", quoted(parsed[0].at(u8"realm"))},
490  {u8"response", quoted(generate_auth())},
491  {u8"uri", quoted(uri)},
492  {u8"username", quoted(user.username)}
493  };
494 
495  const auto request = make_request(args);
496  EXPECT_FALSE(bool(auth.get_response(request)));
497 
498  for (unsigned i = 2; i < 20; ++i)
499  {
500  nc = get_nc(i);
501  args.at(u8"nc") = nc;
502  args.at(u8"response") = quoted(generate_auth());
503  EXPECT_FALSE(auth.get_response(make_request(args)));
504  }
505 
506  const auto replay = auth.get_response(request);
507  ASSERT_TRUE(bool(replay));
508  EXPECT_TRUE(is_unauthorized(*replay));
509 
510  const auto parsed_replay = parse_response(*replay);
511  ASSERT_LE(2u, parsed_replay.size());
512  EXPECT_TRUE(has_same_fields(parsed_replay));
513 
514  EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce"));
515  EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
516 }
517 
518 
519 TEST(HTTP_Auth, DogFood)
520 {
521  const auto add_auth_field = [] (http::http_request_info& request, http::http_client_auth& client)
522  {
523  auto field = client.get_auth_field(request.m_http_method_str, request.m_URI);
524  EXPECT_TRUE(bool(field));
525  if (!field)
526  return false;
527  request.m_header_info.m_etc_fields.push_back(std::move(*field));
528  return true;
529  };
530 
531  const http::login user{"some_user", "ultimate password"};
532 
533  http::http_server_auth server{user, rng};
534  http::http_client_auth client{user};
535 
536  http::http_request_info request{};
537  request.m_http_method_str = "GET";
538  request.m_URI = "/FOO";
539 
540  auto response = server.get_response(request);
541  ASSERT_TRUE(bool(response));
542  EXPECT_TRUE(is_unauthorized(*response));
543  EXPECT_TRUE(response->m_header_info.m_etc_fields.empty());
544  response->m_header_info.m_etc_fields = response->m_additional_fields;
545 
547  EXPECT_TRUE(add_auth_field(request, client));
548  EXPECT_FALSE(bool(server.get_response(request)));
549 
550  for (unsigned i = 0; i < 1000; ++i)
551  {
552  request.m_http_method_str += std::to_string(i);
553  request.m_header_info.m_etc_fields.clear();
554  EXPECT_TRUE(add_auth_field(request, client));
555  EXPECT_FALSE(bool(server.get_response(request)));
556  }
557 
558  // resetting counter should be rejected by server
559  request.m_header_info.m_etc_fields.clear();
560  client = http::http_client_auth{user};
562  EXPECT_TRUE(add_auth_field(request, client));
563 
564  auto response2 = server.get_response(request);
565  ASSERT_TRUE(bool(response2));
566  EXPECT_TRUE(is_unauthorized(*response2));
567  EXPECT_TRUE(response2->m_header_info.m_etc_fields.empty());
568  response2->m_header_info.m_etc_fields = response2->m_additional_fields;
569 
570  const auth_responses parsed1 = parse_response(*response);
571  const auth_responses parsed2 = parse_response(*response2);
572  ASSERT_LE(1u, parsed1.size());
573  ASSERT_LE(1u, parsed2.size());
574  EXPECT_NE(parsed1[0].at(u8"nonce"), parsed2[0].at(u8"nonce"));
575 
576  // with stale=true client should reset
577  request.m_header_info.m_etc_fields.clear();
578  EXPECT_EQ(http::http_client_auth::kSuccess, client.handle_401(*response2));
579  EXPECT_TRUE(add_auth_field(request, client));
580  EXPECT_FALSE(bool(server.get_response(request)));
581 
582  // client should give up if stale=false
584 }
585 
586 TEST(HTTP_Client_Auth, Unavailable)
587 {
588  http::http_client_auth auth{};
590  EXPECT_FALSE(bool(auth.get_auth_field("GET", "/file")));
591 }
592 
593 TEST(HTTP_Client_Auth, MissingAuthenticate)
594 {
595  http::http_client_auth auth{{"foo", "bar"}};
597  EXPECT_FALSE(bool(auth.get_auth_field("POST", "/\xFFname")));
598  {
600  response.m_additional_fields.push_back({"\xFF", "\xFF"});
602  }
603  EXPECT_FALSE(bool(auth.get_auth_field("DELETE", "/file/does/not/exist")));
604 }
605 
606 TEST(HTTP_Client_Auth, BadSyntax)
607 {
608  http::http_client_auth auth{{"foo", "bar"}};
609  EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"realm", "fo\xFF"}}})));
610  EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"domain", "fo\xFF"}}})));
611  EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce", "fo\xFF"}}})));
612  EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8"nonce \xFF =", "fo\xFF"}}})));
613  EXPECT_EQ(http::http_client_auth::kParseFailure, auth.handle_401(make_response({{{u8" \xFF nonce", "fo\xFF"}}})));
614 }
615 
616 TEST(HTTP_Client_Auth, MD5)
617 {
618  constexpr char method[] = "NOP";
619  constexpr char nonce[] = "some crazy nonce";
620  constexpr char realm[] = "the only realm";
621  constexpr char uri[] = "/some_file";
622 
623  const http::login user{"foo", "bar"};
624  http::http_client_auth auth{user};
625 
626  auto response = make_response({
627  {
628  {u8"domain", quoted("ignored")},
629  {u8"nonce", quoted(nonce)},
630  {u8"REALM", quoted(realm)}
631  },
632  {
633  {u8"algorithm", "null"},
634  {u8"domain", quoted("ignored")},
635  {u8"nonce", quoted(std::string{"e"} + nonce)},
636  {u8"realm", quoted(std::string{"e"} + realm)}
637  },
638  });
639 
641  const auto auth_field = auth.get_auth_field(method, uri);
642  ASSERT_TRUE(bool(auth_field));
643 
644  const auto parsed = parse_fields(auth_field->second);
645  EXPECT_STREQ(u8"Authorization", auth_field->first.c_str());
646  EXPECT_EQ(parsed.end(), parsed.find(u8"opaque"));
647  EXPECT_EQ(parsed.end(), parsed.find(u8"qop"));
648  EXPECT_EQ(parsed.end(), parsed.find(u8"nc"));
649  EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str());
650  EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str());
651  EXPECT_STREQ(uri, parsed.at(u8"uri").c_str());
652  EXPECT_EQ(user.username, parsed.at(u8"username"));
653  EXPECT_STREQ(realm, parsed.at(u8"realm").c_str());
654 
655  const std::string a1 = get_a1(user, parsed);
656  const std::string a2 = get_a2(uri);
657  const std::string auth_code = md5_hex(
658  boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
659  );
660  EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response")));
661  {
662  const auto auth_field_dup = auth.get_auth_field(method, uri);
663  ASSERT_TRUE(bool(auth_field_dup));
664  EXPECT_EQ(*auth_field, *auth_field_dup);
665  }
666 
667 
669  response.m_header_info.m_etc_fields.front().second.append(u8"," + write_fields({{u8"stale", u8"TRUE"}}));
671 }
672 
673 TEST(HTTP_Client_Auth, MD5_auth)
674 {
675  constexpr char cnonce[] = "";
676  constexpr char method[] = "NOP";
677  constexpr char nonce[] = "some crazy nonce";
678  constexpr char opaque[] = "this is the opaque";
679  constexpr char qop[] = u8"ignore,auth,ignore";
680  constexpr char realm[] = "the only realm";
681  constexpr char uri[] = "/some_file";
682 
683  const http::login user{"foo", "bar"};
684  http::http_client_auth auth{user};
685 
686  auto response = make_response({
687  {
688  {u8"algorithm", u8"MD5"},
689  {u8"domain", quoted("ignored")},
690  {u8"nonce", quoted(std::string{"e"} + nonce)},
691  {u8"realm", quoted(std::string{"e"} + realm)},
692  {u8"qop", quoted("some,thing,to,ignore")}
693  },
694  {
695  {u8"algorIthm", quoted(u8"md5")},
696  {u8"domain", quoted("ignored")},
697  {u8"noNce", quoted(nonce)},
698  {u8"opaque", quoted(opaque)},
699  {u8"realm", quoted(realm)},
700  {u8"QoP", quoted(qop)}
701  }
702  });
703 
705 
706  for (unsigned i = 1; i < 1000; ++i)
707  {
708  const std::string nc = get_nc(i);
709 
710  const auto auth_field = auth.get_auth_field(method, uri);
711  ASSERT_TRUE(bool(auth_field));
712 
713  const auto parsed = parse_fields(auth_field->second);
714  EXPECT_STREQ(u8"Authorization", auth_field->first.c_str());
715  EXPECT_STREQ(u8"MD5", parsed.at(u8"algorithm").c_str());
716  EXPECT_STREQ(nonce, parsed.at(u8"nonce").c_str());
717  EXPECT_STREQ(opaque, parsed.at(u8"opaque").c_str());
718  EXPECT_STREQ(u8"auth", parsed.at(u8"qop").c_str());
719  EXPECT_STREQ(uri, parsed.at(u8"uri").c_str());
720  EXPECT_EQ(user.username, parsed.at(u8"username"));
721  EXPECT_STREQ(realm, parsed.at(u8"realm").c_str());
722  EXPECT_EQ(nc, parsed.at(u8"nc"));
723 
724  const std::string a1 = get_a1(user, parsed);
725  const std::string a2 = get_a2(uri);
726  const std::string auth_code = md5_hex(
727  boost::join(std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, u8"auth", md5_hex(a2)}, u8":")
728  );
729  EXPECT_TRUE(boost::iequals(auth_code, parsed.at(u8"response")));
730  }
731 
733  response.m_header_info.m_etc_fields.back().second.append(u8"," + write_fields({{u8"stale", u8"trUe"}}));
735 }
736 
737 
738 TEST(HTTP, Add_Field)
739 {
740  std::string str{"leading text"};
741  epee::net_utils::http::add_field(str, "foo", "bar");
742  epee::net_utils::http::add_field(str, std::string("bar"), std::string("foo"));
743  epee::net_utils::http::add_field(str, {"moarbars", "moarfoo"});
744 
745  EXPECT_STREQ("leading textfoo: bar\r\nbar: foo\r\nmoarbars: moarfoo\r\n", str.c_str());
746 }
size_t size() const noexcept
#define EXPECT_TRUE(condition)
Definition: gtest.h:1859
#define EXPECT_STREQ(s1, s2)
Definition: gtest.h:1995
choice
Definition: lmdb.cpp:40
::std::string string
Definition: gtest-port.h:1097
Implements RFC 2617 digest auth. Digests from RFC 7616 can be added.
Definition: http_auth.h:95
epee::misc_utils::struct_init< response_t > response
unsigned char uint8_t
Definition: stdint.h:124
mdb_size_t count(MDB_cursor *cur)
std::string pod_to_hex(const t_pod_type &s)
Definition: string_tools.h:317
void rand(size_t N, uint8_t *bytes)
Definition: crypto.h:209
unsigned int uint32_t
Definition: stdint.h:126
TEST(HTTP_Server_Auth, NotRequired)
Definition: http.cpp:258
#define EXPECT_NE(val1, val2)
Definition: gtest.h:1926
wipeable_string password
Definition: http_auth.h:57
const T & move(const T &t)
Definition: gtest-port.h:1317
const GenericPointer< typename T::ValueType > T2 value
Definition: pointer.h:1225
#define ASSERT_TRUE(condition)
Definition: gtest.h:1865
#define EXPECT_FALSE(condition)
Definition: gtest.h:1862
std::string to_string(t_connection_type type)
#define ASSERT_LE(val1, val2)
Definition: gtest.h:1964
const char * data() const noexcept
Implements RFC 2617 digest auth. Digests from RFC 7616 can be added.
Definition: http_auth.h:61
#define EXPECT_EQ(val1, val2)
Definition: gtest.h:1922
unsigned char u8
Definition: chacha_private.h:9