TST: apache-auth filter - nonce timetravel tests + other expression fixes

11 years ago · 7b2773889d
parent 52aaa1c9bb
commit 7b2773889d
3 changed files with 68 additions and 7 deletions
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@ -35,11 +35,11 @@ failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server config
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
            ^%(_apache_error_client)s (AH0179[01]: )?(Digest: )?user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
-            ^%(_apache_error_client)s (AH01631: )?user .* authorization failure for "\S*": \s*$
-            ^%(_apache_error_client)s (AH0177[56]: )?invalid nonce .* received - (length|hash) is not \S+\s*$
-            ^%(_apache_error_client)s (AH01788: )?realm mismatch - got `.*' but expected `.+'\s*$
-            ^%(_apache_error_client)s (AH01789: )?unknown algorithm `\S+' received: \S*\s*"$
-            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*"$
+            ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
+            ^%(_apache_error_client)s (AH0177[56]: )?(Digest: )?invalid nonce .* received - (length|hash) is not \S+\s*$
+            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
+            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
+            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
            ^%(_apache_error_client)s (AH01777: )?invalid nonce .* received - user attempted time travel\s*$
            ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
            ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
--- a/testcases/files/config/apache-auth/digest.py
+++ b/testcases/files/config/apache-auth/digest.py
@ -37,18 +37,19 @@ def auth(v):

 def preauth():
    r = requests.get(host + url)
+    print r
    r.headers['www-authenticate'].split(', ')
    return dict([ a.split('=',1) for a in r.headers['www-authenticate'].split(', ') ])


 url='/digest/'
-host = 'http://localhost:801'
+host = 'http://localhost:802'

 v = preauth()

-#print v
 username="username"
 password = "password"
+print v

 realm = 'so far away'
 r = auth(v)
@ -97,3 +98,52 @@ time.sleep(1)
 r = auth(v)
 print r.status_code,r.headers, r.text

+# Obtained by putting the following code in modules/aaa/mod_auth_digest.c
+# in the function initialize_secret
+#    {
+#       const char *hex = "0123456789abcdef";
+#       char secbuff[SECRET_LEN * 4];
+#       char *hash = secbuff;
+#       int idx;
+
+#       for (idx=0; idx<sizeof(secret); idx++) {
+#       *hash++ = hex[secret[idx] >> 4];
+#       *hash++ = hex[secret[idx] & 0xF];
+#       }
+#       *hash = '\0';
+#       /* remove comment in below for apache-2.4+ */
+#       ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, /*  APLOGNO(11759) */ "secret: %s", secbuff);
+#   }
+
+
+import sha
+import binascii
+import base64
+import struct
+
+apachesecret = binascii.unhexlify('cc969f83b4029e672115f2e8ff7dd21a976728f9')
+s = sha.sha(apachesecret)
+
+v=preauth()
+
+print v['nonce']
+realm = v['Digest realm'][1:-1]
+
+(t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13]))
+
+# whee, time travel
+t = t + 5540
+
+timepac = base64.b64encode(struct.pack('l',t))
+
+s.update(realm)
+s.update(timepac)
+
+v['nonce'] =  v['nonce'][0] + timepac + s.hexdigest() + v['nonce'][-1]
+
+print v
+
+r = auth(v)
+#[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel
+print r.status_code,r.headers, r.text
+
--- a/testcases/files/logs/apache-auth
+++ b/testcases/files/logs/apache-auth
@ -50,6 +50,8 @@

 # failJSON: { "time": "2013-07-20T22:11:43", "match": true , "host": "127.0.0.1" } 
 [Sat Jul 20 22:11:43.147674 2013] [authz_owner:error] [pid 17540:tid 140122922129152] [client 127.0.0.1:51548] AH01637: Authorization of user username to access /basic/authz_owner/cant_get_me.html failed, reason: file owner dan does not match
+
+# wget --http-user=username --http-password=password http://localhost/basic/authz_owner/cant_get_me.html -O /dev/null
 # failJSON: { "time": "2013-07-20T21:42:44", "match": true , "host": "127.0.0.1" } 
 [Sat Jul 20 21:42:44.304159 2013] [authz_core:error] [pid 17484:tid 140123095914240] [client 127.0.0.1:51397] AH01631: user username: authorization failure for "/basic/authz_owner/cant_get_me.html": 

@ -98,3 +100,12 @@

 # failJSON: { "time": "2013-07-28T21:42:03", "match": true , "host": "127.0.0.1" }
 [Sun Jul 28 21:42:03.930190 2013] [auth_digest:error] [pid 24835:tid 139895505884928] [client 127.0.0.1:57115] AH01789: unknown algorithm `super funky chicken' received: /digest/
+
+# ./testcases/files/config/apache-auth/digest.py
+# failJSON: { "time": "2013-07-29T02:15:26", "match": true , "host": "127.0.0.1" }
+[Mon Jul 29 02:15:26 2013] [error] [client 127.0.0.1] Digest: invalid nonce LWEDr5TiBAA=ceddd011628c30e3646f7acda4f1a0ab6b7c5ae6 received - user attempted time travel
+
+
+
+# failJSON: { "time": "2013-07-29T02:12:55", "match": true , "host": "127.0.0.1" }
+[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel