ENH: filter enhancements on mod-digest (with test cases) for apache-auth (httpd-2.4.4)

config/filter.d/apache-auth.conf

@@ -35,15 +35,14 @@ failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server config
             ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
             ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
             ^%(_apache_error_client)s (AH0179[01]: )?(Digest: )?user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
-            ^%(_apache_error_client)s user .* authorization failure: \S*\s*$
             ^%(_apache_error_client)s (AH01631: )?user .* authorization failure for "\S*": \s*$
-            ^%(_apache_error_client)s invalid nonce .* received - (length|hash) is not \S+\s*$
-            ^%(_apache_error_client)s invalid nonce .* received - user attempted time travel\s*$
-            ^%(_apache_error_client)s user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
-            ^%(_apache_error_client)s user .*: one-time-nonce mismatch - sending new nonce\s*$
-            ^%(_apache_error_client)s realm mismatch - got `.*' but expected `.+'\s*$
-            ^%(_apache_error_client)s unknown algorithm `\S+' received: \S*\s*"$
-            ^%(_apache_error_client)s invalid qop `.*' received: \S*\s*"$
+            ^%(_apache_error_client)s (AH0177[56]: )?invalid nonce .* received - (length|hash) is not \S+\s*$
+            ^%(_apache_error_client)s (AH01788: )?realm mismatch - got `.*' but expected `.+'\s*$
+            ^%(_apache_error_client)s (AH01789: )?unknown algorithm `\S+' received: \S*\s*"$
+            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*"$
+            ^%(_apache_error_client)s (AH01777: )?invalid nonce .* received - user attempted time travel\s*$
+            ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
+            ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
 
 
 

testcases/files/config/apache-auth/digest.py

@@ -0,0 +1,99 @@
+#!/bin/env python
+import requests
+import md5
+
+
+def auth(v):
+
+    ha1 = md5.new(username + ':' + realm + ':' + password).hexdigest()
+    ha2 = md5.new("GET:" + url).hexdigest()
+    
+    #response = md5.new(ha1 + ':' + v['nonce'][1:-1] + ':' + v['nc'] + ':' + v['cnonce'][1:-1]
+    #                  + ':' + v['qop'][1:-1] + ':' + ha2).hexdigest()
+    
+    nonce = v['nonce'][1:-1]
+    nc=v.get('nc') or ''
+    cnonce = v.get('cnonce') or ''
+    qop = v['qop'][1:-1]
+    algorithm = v['algorithm']
+    response = md5.new(ha1 + ':' + nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2).hexdigest()
+    
+    p = requests.Request('GET', host + url).prepare()
+    #p.headers['Authentication-Info'] = response 
+    p.headers['Authorization'] = """
+        Digest username="%s",
+        algorithm="%s",
+        realm="%s",
+        uri="%s",
+        nonce="%s",
+        cnonce="",
+        nc="",
+        qop=%s,
+        response="%s"
+    """ % ( username, algorithm, realm, url, nonce, qop, response )
+    
+    s =  requests.Session()
+    return s.send(p)
+
+def preauth():
+    r = requests.get(host + url)
+    r.headers['www-authenticate'].split(', ')
+    return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ])
+
+
+url='/digest/'
+host = 'http://localhost:801'
+
+v = preauth()
+
+#print v
+username="username"
+password = "password"
+
+realm = 'so far away'
+r = auth(v)
+
+realm = v['Digest realm'][1:-1]
+
+# [Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area'
+
+
+algorithm = v['algorithm']
+v['algorithm'] = 'super funky chicken'
+r = auth(v)
+
+# [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
+
+print r.status_code,r.headers, r.text
+v['algorithm'] = algorithm
+
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+
+nonce = v['nonce']
+v['nonce']=v['nonce'][5:-5]
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+
+# [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
+
+
+v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:]
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+
+#[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
+
+
+url='/digest_time/'
+v=preauth()
+
+import time
+time.sleep(1)
+
+r = auth(v)
+print r.status_code,r.headers, r.text
+

testcases/files/config/apache-auth/digest_time/.htaccess

@@ -0,0 +1,7 @@
+AuthType Digest
+AuthName "digest private area"
+AuthDigestDomain /digest_time/
+AuthBasicProvider file
+AuthUserFile /var/www/html/digest_time/.htpasswd
+AuthDigestNonceLifetime 1
+Require valid-user

testcases/files/config/apache-auth/digest_time/.htpasswd

@@ -0,0 +1 @@
+username:digest private area:fad48d3a7c63f61b5b3567a4105bbb04

testcases/files/logs/apache-auth

@@ -66,3 +66,35 @@
 
 # failJSON: { "time": "2013-07-20T21:45:28", "match": true , "host": "127.0.0.1" } 
 [Sat Jul 20 21:45:28.890523 2013] [auth_digest:error] [pid 17540:tid 140122972485376] [client 127.0.0.1:51408] AH01790: user `username' in realm `digest private area' not found: /digest_wrongrelm/cant_get_me.html
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:05:31", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:12:44", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:12:44 2013] [error] [client 127.0.0.1] Digest: invalid nonce JDiBAA=db9372522295196b7ac31db99e10cd1106c received - length is not 52
+
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:16:37", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:16:37 2013] [error] [client 127.0.0.1] Digest: invalid nonce l19lgpDiBAZZZf1ec3d9613f3b3ef43660e3628d78455fd8b937 received - hash is not 6fda8bbcbcf85ff1ebfe7d1c43faba583bc53a02
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:18:11", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:30:02", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:30:02 2013] [error] [client 127.0.0.1] Digest: realm mismatch - got `so far away' but expected `digest private area'
+
+# failJSON: { "time": "2013-07-28T21:27:56", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:27:56.549667 2013] [auth_digest:error] [pid 24835:tid 139895297222400] [client 127.0.0.1:57052] AH01788: realm mismatch - got `so far away' but expected `digest private area'
+
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-28T21:41:20", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
+
+# failJSON: { "time": "2013-07-28T21:42:03", "match": true , "host": "127.0.0.1" }
+[Sun Jul 28 21:42:03.930190 2013] [auth_digest:error] [pid 24835:tid 139895505884928] [client 127.0.0.1:57115] AH01789: unknown algorithm `super funky chicken' received: /digest/