TST: apache-auth filter - nonce timetravel tests + other expression fixes

pull/287/head
Daniel Black 11 years ago
parent 52aaa1c9bb
commit 7b2773889d

@ -35,11 +35,11 @@ failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server config
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: )?(Digest: )?user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .* authorization failure for "\S*": \s*$
^%(_apache_error_client)s (AH0177[56]: )?invalid nonce .* received - (length|hash) is not \S+\s*$
^%(_apache_error_client)s (AH01788: )?realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?unknown algorithm `\S+' received: \S*\s*"$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*"$
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
^%(_apache_error_client)s (AH0177[56]: )?(Digest: )?invalid nonce .* received - (length|hash) is not \S+\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?invalid nonce .* received - user attempted time travel\s*$
^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$

@ -37,18 +37,19 @@ def auth(v):
def preauth():
r = requests.get(host + url)
print r
r.headers['www-authenticate'].split(', ')
return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ])
url='/digest/'
host = 'http://localhost:801'
host = 'http://localhost:802'
v = preauth()
#print v
username="username"
password = "password"
print v
realm = 'so far away'
r = auth(v)
@ -97,3 +98,52 @@ time.sleep(1)
r = auth(v)
print r.status_code,r.headers, r.text
# Obtained by putting the following code in modules/aaa/mod_auth_digest.c
# in the function initialize_secret
# {
# const char *hex = "0123456789abcdef";
# char secbuff[SECRET_LEN * 4];
# char *hash = secbuff;
# int idx;
# for (idx=0; idx<sizeof(secret); idx++) {
# *hash++ = hex[secret[idx] >> 4];
# *hash++ = hex[secret[idx] & 0xF];
# }
# *hash = '\0';
# /* remove comment in below for apache-2.4+ */
# ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, /* APLOGNO(11759) */ "secret: %s", secbuff);
# }
import sha
import binascii
import base64
import struct
apachesecret = binascii.unhexlify('cc969f83b4029e672115f2e8ff7dd21a976728f9')
s = sha.sha(apachesecret)
v=preauth()
print v['nonce']
realm = v['Digest realm'][1:-1]
(t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13]))
# whee, time travel
t = t + 5540
timepac = base64.b64encode(struct.pack('l',t))
s.update(realm)
s.update(timepac)
v['nonce'] = v['nonce'][0] + timepac + s.hexdigest() + v['nonce'][-1]
print v
r = auth(v)
#[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel
print r.status_code,r.headers, r.text

@ -50,6 +50,8 @@
# failJSON: { "time": "2013-07-20T22:11:43", "match": true , "host": "127.0.0.1" }
[Sat Jul 20 22:11:43.147674 2013] [authz_owner:error] [pid 17540:tid 140122922129152] [client 127.0.0.1:51548] AH01637: Authorization of user username to access /basic/authz_owner/cant_get_me.html failed, reason: file owner dan does not match
# wget --http-user=username --http-password=password http://localhost/basic/authz_owner/cant_get_me.html -O /dev/null
# failJSON: { "time": "2013-07-20T21:42:44", "match": true , "host": "127.0.0.1" }
[Sat Jul 20 21:42:44.304159 2013] [authz_core:error] [pid 17484:tid 140123095914240] [client 127.0.0.1:51397] AH01631: user username: authorization failure for "/basic/authz_owner/cant_get_me.html":
@ -98,3 +100,12 @@
# failJSON: { "time": "2013-07-28T21:42:03", "match": true , "host": "127.0.0.1" }
[Sun Jul 28 21:42:03.930190 2013] [auth_digest:error] [pid 24835:tid 139895505884928] [client 127.0.0.1:57115] AH01789: unknown algorithm `super funky chicken' received: /digest/
# ./testcases/files/config/apache-auth/digest.py
# failJSON: { "time": "2013-07-29T02:15:26", "match": true , "host": "127.0.0.1" }
[Mon Jul 29 02:15:26 2013] [error] [client 127.0.0.1] Digest: invalid nonce LWEDr5TiBAA=ceddd011628c30e3646f7acda4f1a0ab6b7c5ae6 received - user attempted time travel
# failJSON: { "time": "2013-07-29T02:12:55", "match": true , "host": "127.0.0.1" }
[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel

Loading…
Cancel
Save