diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index 4a275a4b..d1a2ffcb 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -35,15 +35,14 @@ failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server config ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$ ^%(_apache_error_client)s (AH0179[01]: )?(Digest: )?user `.*' in realm `.+' (not found|denied by provider): \S*\s*$ - ^%(_apache_error_client)s user .* authorization failure: \S*\s*$ ^%(_apache_error_client)s (AH01631: )?user .* authorization failure for "\S*": \s*$ - ^%(_apache_error_client)s invalid nonce .* received - (length|hash) is not \S+\s*$ - ^%(_apache_error_client)s invalid nonce .* received - user attempted time travel\s*$ - ^%(_apache_error_client)s user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ - ^%(_apache_error_client)s user .*: one-time-nonce mismatch - sending new nonce\s*$ - ^%(_apache_error_client)s realm mismatch - got `.*' but expected `.+'\s*$ - ^%(_apache_error_client)s unknown algorithm `\S+' received: \S*\s*"$ - ^%(_apache_error_client)s invalid qop `.*' received: \S*\s*"$ + ^%(_apache_error_client)s (AH0177[56]: )?invalid nonce .* received - (length|hash) is not \S+\s*$ + ^%(_apache_error_client)s (AH01788: )?realm mismatch - got `.*' but expected `.+'\s*$ + ^%(_apache_error_client)s (AH01789: )?unknown algorithm `\S+' received: \S*\s*"$ + ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*"$ + ^%(_apache_error_client)s (AH01777: )?invalid nonce .* received - user attempted time travel\s*$ + ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ + ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ diff --git a/testcases/files/config/apache-auth/digest.py b/testcases/files/config/apache-auth/digest.py new file mode 100755 index 00000000..ed0e18eb --- /dev/null +++ b/testcases/files/config/apache-auth/digest.py @@ -0,0 +1,99 @@ +#!/bin/env python +import requests +import md5 + + +def auth(v): + + ha1 = md5.new(username + ':' + realm + ':' + password).hexdigest() + ha2 = md5.new("GET:" + url).hexdigest() + + #response = md5.new(ha1 + ':' + v['nonce'][1:-1] + ':' + v['nc'] + ':' + v['cnonce'][1:-1] + # + ':' + v['qop'][1:-1] + ':' + ha2).hexdigest() + + nonce = v['nonce'][1:-1] + nc=v.get('nc') or '' + cnonce = v.get('cnonce') or '' + qop = v['qop'][1:-1] + algorithm = v['algorithm'] + response = md5.new(ha1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2).hexdigest() + + p = requests.Request('GET', host + url).prepare() + #p.headers['Authentication-Info'] = response + p.headers['Authorization'] = """ + Digest username="%s", + algorithm="%s", + realm="%s", + uri="%s", + nonce="%s", + cnonce="", + nc="", + qop=%s, + response="%s" + """ % ( username, algorithm, realm, url, nonce, qop, response ) + + s = requests.Session() + return s.send(p) + +def preauth(): + r = requests.get(host + url) + r.headers['www-authenticate'].split(', ') + return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ]) + + +url='/digest/' +host = 'http://localhost:801' + +v = preauth() + +#print v +username="username" +password = "password" + +realm = 'so far away' +r = auth(v) + +realm = v['Digest realm'][1:-1] + +# [Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area' + + +algorithm = v['algorithm'] +v['algorithm'] = 'super funky chicken' +r = auth(v) + +# [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/ + +print r.status_code,r.headers, r.text +v['algorithm'] = algorithm + + +r = auth(v) +print r.status_code,r.headers, r.text + +nonce = v['nonce'] +v['nonce']=v['nonce'][5:-5] + +r = auth(v) +print r.status_code,r.headers, r.text + +# [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/ + + +v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:] + +r = auth(v) +print r.status_code,r.headers, r.text + +#[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b + + +url='/digest_time/' +v=preauth() + +import time +time.sleep(1) + +r = auth(v) +print r.status_code,r.headers, r.text + diff --git a/testcases/files/config/apache-auth/digest_time/.htaccess b/testcases/files/config/apache-auth/digest_time/.htaccess new file mode 100644 index 00000000..44036f57 --- /dev/null +++ b/testcases/files/config/apache-auth/digest_time/.htaccess @@ -0,0 +1,7 @@ +AuthType Digest +AuthName "digest private area" +AuthDigestDomain /digest_time/ +AuthBasicProvider file +AuthUserFile /var/www/html/digest_time/.htpasswd +AuthDigestNonceLifetime 1 +Require valid-user diff --git a/testcases/files/config/apache-auth/digest_time/.htaccess.swp b/testcases/files/config/apache-auth/digest_time/.htaccess.swp new file mode 100644 index 00000000..1d14e6f2 Binary files /dev/null and b/testcases/files/config/apache-auth/digest_time/.htaccess.swp differ diff --git a/testcases/files/config/apache-auth/digest_time/.htpasswd b/testcases/files/config/apache-auth/digest_time/.htpasswd new file mode 100644 index 00000000..cc649515 --- /dev/null +++ b/testcases/files/config/apache-auth/digest_time/.htpasswd @@ -0,0 +1 @@ +username:digest private area:fad48d3a7c63f61b5b3567a4105bbb04 diff --git a/testcases/files/logs/apache-auth b/testcases/files/logs/apache-auth index e6d1aaad..95397cb5 100644 --- a/testcases/files/logs/apache-auth +++ b/testcases/files/logs/apache-auth @@ -66,3 +66,35 @@ # failJSON: { "time": "2013-07-20T21:45:28", "match": true , "host": "127.0.0.1" } [Sat Jul 20 21:45:28.890523 2013] [auth_digest:error] [pid 17540:tid 140122972485376] [client 127.0.0.1:51408] AH01790: user `username' in realm `digest private area' not found: /digest_wrongrelm/cant_get_me.html + +# ./testcases/files/config/apache-auth/digest.py +# failJSON: { "time": "2013-07-28T21:05:31", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/ + +# ./testcases/files/config/apache-auth/digest.py +# failJSON: { "time": "2013-07-28T21:12:44", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:12:44 2013] [error] [client 127.0.0.1] Digest: invalid nonce JDiBAA=db9372522295196b7ac31db99e10cd1106c received - length is not 52 + + +# ./testcases/files/config/apache-auth/digest.py +# failJSON: { "time": "2013-07-28T21:16:37", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:16:37 2013] [error] [client 127.0.0.1] Digest: invalid nonce l19lgpDiBAZZZf1ec3d9613f3b3ef43660e3628d78455fd8b937 received - hash is not 6fda8bbcbcf85ff1ebfe7d1c43faba583bc53a02 + +# ./testcases/files/config/apache-auth/digest.py +# failJSON: { "time": "2013-07-28T21:18:11", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b + +# ./testcases/files/config/apache-auth/digest.py +# failJSON: { "time": "2013-07-28T21:30:02", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:30:02 2013] [error] [client 127.0.0.1] Digest: realm mismatch - got `so far away' but expected `digest private area' + +# failJSON: { "time": "2013-07-28T21:27:56", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area' + + +# ./testcases/files/config/apache-auth/digest.py +# failJSON: { "time": "2013-07-28T21:41:20", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/ + +# failJSON: { "time": "2013-07-28T21:42:03", "match": true , "host": "127.0.0.1" } +[Sun Jul 28 21:42:03.930190 2013] [auth_digest:error] [pid 24835:tid 139895505884928] [client 127.0.0.1:57115] AH01789: unknown algorithm `super funky chicken' received: /digest/