File: http_token_authentication_test.rb

package info (click to toggle)
rails 2%3A7.2.2.1%2Bdfsg-7
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 43,352 kB
  • sloc: ruby: 349,799; javascript: 30,703; yacc: 46; sql: 43; sh: 29; makefile: 27
file content (248 lines) | stat: -rw-r--r-- 8,848 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
 
# frozen_string_literal: true

require "abstract_unit"

class HttpTokenAuthenticationTest < ActionController::TestCase
  class DummyController < ActionController::Base
    before_action :authenticate, only: :index
    before_action :authenticate_with_request, only: :display
    before_action :authenticate_long_credentials, only: :show

    def index
      render plain: "Hello Secret"
    end

    def display
      render plain: "Definitely Maybe"
    end

    def show
      render plain: "Only for loooooong credentials"
    end

    private
      def authenticate
        authenticate_or_request_with_http_token do |token, _|
          token == "lifo"
        end
      end

      def authenticate_with_request
        if authenticate_with_http_token { |token, options| token == '"quote" pretty' && options[:algorithm] == "test" }
          @logged_in = true
        else
          request_http_token_authentication("SuperSecret", "Authentication Failed\n")
        end
      end

      def authenticate_long_credentials
        authenticate_or_request_with_http_token do |token, options|
          token == "1234567890123456789012345678901234567890" && options[:algorithm] == "test"
        end
      end
  end

  AUTH_HEADERS = ["HTTP_AUTHORIZATION", "X-HTTP_AUTHORIZATION", "X_HTTP_AUTHORIZATION", "REDIRECT_X_HTTP_AUTHORIZATION"]

  tests DummyController

  AUTH_HEADERS.each do |header|
    test "successful authentication with #{header.downcase}" do
      @request.env[header] = encode_credentials("lifo")
      get :index

      assert_response :success
      assert_equal "Hello Secret", @response.body, "Authentication failed for request header #{header}"
    end
    test "successful authentication with #{header.downcase} and long credentials" do
      @request.env[header] = encode_credentials("1234567890123456789012345678901234567890", algorithm: "test")
      get :show

      assert_response :success
      assert_equal "Only for loooooong credentials", @response.body, "Authentication failed for request header #{header} and long credentials"
    end
  end

  AUTH_HEADERS.each do |header|
    test "unsuccessful authentication with #{header.downcase}" do
      @request.env[header] = encode_credentials("h4x0r")
      get :index

      assert_response :unauthorized
      assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header}"
    end
    test "unsuccessful authentication with #{header.downcase} and long credentials" do
      @request.env[header] = encode_credentials("h4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0r")
      get :show

      assert_response :unauthorized
      assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header} and long credentials"
    end
  end

  test "authentication request with badly formatted header" do
    @request.env["HTTP_AUTHORIZATION"] = 'Token token$"lifo"'
    get :index

    assert_response :unauthorized
    assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
  end

  test "authentication request with evil header" do
    @request.env["HTTP_AUTHORIZATION"] = "Token ." + " " * (1024 * 80 - 8) + "."
    Timeout.timeout(1) do
      get :index
    end

    assert_response :unauthorized
    assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
  end

  test "successful authentication request with Bearer instead of Token" do
    @request.env["HTTP_AUTHORIZATION"] = "Bearer lifo"
    get :index

    assert_response :success
  end

  test "authentication request with tab in header" do
    @request.env["HTTP_AUTHORIZATION"] = "Token\ttoken=\"lifo\""
    get :index

    assert_response :success
    assert_equal "Hello Secret", @response.body
  end

  test "authentication request without credential" do
    get :display

    assert_response :unauthorized
    assert_equal "Authentication Failed\n", @response.body
    assert_equal 'Token realm="SuperSecret"', @response.headers["WWW-Authenticate"]
  end

  test "authentication request with invalid credential" do
    @request.env["HTTP_AUTHORIZATION"] = encode_credentials('"quote" pretty')
    get :display

    assert_response :unauthorized
    assert_equal "Authentication Failed\n", @response.body
    assert_equal 'Token realm="SuperSecret"', @response.headers["WWW-Authenticate"]
  end

  test "token_and_options returns correct token" do
    token = "rcHu+HzSFw89Ypyhn/896A=="
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns correct token with value after the equal sign" do
    token = "rcHu+=HzSFw89Ypyhn/896A==f34"
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns correct token with slashes" do
    token = 'rcHu+\\\\"/896A'
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns correct token with quotes" do
    token = '\"quote\" pretty'
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns empty string with empty token" do
    token = +""
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns correct token with nonce option" do
    token = "rcHu+HzSFw89Ypyhn/896A="
    nonce_hash = { nonce: "123abc" }
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token, nonce_hash))
    expected_token = token
    expected_nonce = { "nonce" => nonce_hash[:nonce] }
    assert_equal(expected_token, actual.first)
    assert_equal(expected_nonce, actual.last)
  end

  test "token_and_options returns nil with no value after the equal sign" do
    actual = ActionController::HttpAuthentication::Token.token_and_options(malformed_request).first
    assert_nil actual
  end

  test "token_and_options ignores empty elements in header value" do
    token = "foo,,bar,  ,   , baz=qux"
    expected_token = "foo"
    expected_options = { "bar" => nil, "baz" => "qux" }

    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token, {}))
    assert_equal expected_token, actual.first
    assert_equal expected_options, actual.last
  end

  test "raw_params returns a tuple of two key value pair strings" do
    auth = sample_request("rcHu+HzSFw89Ypyhn/896A=").authorization.to_s
    actual = ActionController::HttpAuthentication::Token.raw_params(auth)
    expected = ["token=\"rcHu+HzSFw89Ypyhn/896A=\"", "nonce=\"def\""]
    assert_equal(expected, actual)
  end

  test "raw_params returns a tuple of key value pair strings when auth does not contain a token key" do
    auth = sample_request_without_token_key("rcHu+HzSFw89Ypyhn/896A=").authorization.to_s
    actual = ActionController::HttpAuthentication::Token.raw_params(auth)
    expected = ["token=rcHu+HzSFw89Ypyhn/896A="]
    assert_equal(expected, actual)
  end

  test "raw_params returns a tuple of key strings when auth does not contain a token key and value" do
    auth = sample_request_without_token_key(nil).authorization.to_s
    actual = ActionController::HttpAuthentication::Token.raw_params(auth)
    expected = ["token="]
    assert_equal(expected, actual)
  end

  test "token_and_options returns right token when token key is not specified in header" do
    token = "rcHu+HzSFw89Ypyhn/896A="

    actual = ActionController::HttpAuthentication::Token.token_and_options(
      sample_request_without_token_key(token)
    ).first

    expected = token
    assert_equal(expected, actual)
  end

  private
    def sample_request(token, options = { nonce: "def" })
      authorization = options.inject([%{Token token="#{token}"}]) do |arr, (k, v)|
        arr << "#{k}=\"#{v}\""
      end.join(", ")
      mock_authorization_request(authorization)
    end

    def malformed_request
      mock_authorization_request(%{Token token=})
    end

    def sample_request_without_token_key(token)
      mock_authorization_request(%{Token #{token}})
    end

    def mock_authorization_request(authorization)
      Struct.new(:authorization).new(authorization)
    end

    def encode_credentials(token, options = {})
      ActionController::HttpAuthentication::Token.encode_credentials(token, options)
    end
end