1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_auth_gssapi_posix.h" 6 7 #include "base/basictypes.h" 8 #include "base/logging.h" 9 #include "base/memory/scoped_ptr.h" 10 #include "base/native_library.h" 11 #include "net/base/net_errors.h" 12 #include "net/http/mock_gssapi_library_posix.h" 13 #include "testing/gtest/include/gtest/gtest.h" 14 15 namespace net { 16 17 namespace { 18 19 // gss_buffer_t helpers. 20 void ClearBuffer(gss_buffer_t dest) { 21 if (!dest) 22 return; 23 dest->length = 0; 24 delete [] reinterpret_cast<char*>(dest->value); 25 dest->value = NULL; 26 } 27 28 void SetBuffer(gss_buffer_t dest, const void* src, size_t length) { 29 if (!dest) 30 return; 31 ClearBuffer(dest); 32 if (!src) 33 return; 34 dest->length = length; 35 if (length) { 36 dest->value = new char[length]; 37 memcpy(dest->value, src, length); 38 } 39 } 40 41 void CopyBuffer(gss_buffer_t dest, const gss_buffer_t src) { 42 if (!dest) 43 return; 44 ClearBuffer(dest); 45 if (!src) 46 return; 47 SetBuffer(dest, src->value, src->length); 48 } 49 50 const char kInitialAuthResponse[] = "Mary had a little lamb"; 51 52 void EstablishInitialContext(test::MockGSSAPILibrary* library) { 53 test::GssContextMockImpl context_info( 54 "localhost", // Source name 55 "example.com", // Target name 56 23, // Lifetime 57 *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 58 0, // Context flags 59 1, // Locally initiated 60 0); // Open 61 gss_buffer_desc in_buffer = {0, NULL}; 62 gss_buffer_desc out_buffer = {arraysize(kInitialAuthResponse), 63 const_cast<char*>(kInitialAuthResponse)}; 64 library->ExpectSecurityContext( 65 "Negotiate", 66 GSS_S_CONTINUE_NEEDED, 67 0, 68 context_info, 69 in_buffer, 70 out_buffer); 71 } 72 73 } // namespace 74 75 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup) { 76 // TODO(ahendrickson): Manipulate the libraries and paths to test each of the 77 // libraries we expect, and also whether or not they have the interface 78 // functions we want. 79 scoped_ptr<GSSAPILibrary> gssapi(new GSSAPISharedLibrary(std::string())); 80 DCHECK(gssapi.get()); 81 EXPECT_TRUE(gssapi.get()->Init()); 82 } 83 84 #if defined(DLOPEN_KERBEROS) 85 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPILoadCustomLibrary) { 86 scoped_ptr<GSSAPILibrary> gssapi( 87 new GSSAPISharedLibrary("/this/library/does/not/exist")); 88 EXPECT_FALSE(gssapi.get()->Init()); 89 } 90 #endif // defined(DLOPEN_KERBEROS) 91 92 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) { 93 scoped_ptr<test::MockGSSAPILibrary> mock_library(new test::MockGSSAPILibrary); 94 DCHECK(mock_library.get()); 95 mock_library->Init(); 96 const char kAuthResponse[] = "Mary had a little lamb"; 97 test::GssContextMockImpl context1( 98 "localhost", // Source name 99 "example.com", // Target name 100 23, // Lifetime 101 *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 102 0, // Context flags 103 1, // Locally initiated 104 0); // Open 105 test::GssContextMockImpl context2( 106 "localhost", // Source name 107 "example.com", // Target name 108 23, // Lifetime 109 *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 110 0, // Context flags 111 1, // Locally initiated 112 1); // Open 113 test::MockGSSAPILibrary::SecurityContextQuery queries[] = { 114 test::MockGSSAPILibrary::SecurityContextQuery( 115 "Negotiate", // Package name 116 GSS_S_CONTINUE_NEEDED, // Major response code 117 0, // Minor response code 118 context1, // Context 119 NULL, // Expected input token 120 kAuthResponse), // Output token 121 test::MockGSSAPILibrary::SecurityContextQuery( 122 "Negotiate", // Package name 123 GSS_S_COMPLETE, // Major response code 124 0, // Minor response code 125 context2, // Context 126 kAuthResponse, // Expected input token 127 kAuthResponse) // Output token 128 }; 129 130 for (size_t i = 0; i < arraysize(queries); ++i) { 131 mock_library->ExpectSecurityContext(queries[i].expected_package, 132 queries[i].response_code, 133 queries[i].minor_response_code, 134 queries[i].context_info, 135 queries[i].expected_input_token, 136 queries[i].output_token); 137 } 138 139 OM_uint32 major_status = 0; 140 OM_uint32 minor_status = 0; 141 gss_cred_id_t initiator_cred_handle = NULL; 142 gss_ctx_id_t context_handle = NULL; 143 gss_name_t target_name = NULL; 144 gss_OID mech_type = NULL; 145 OM_uint32 req_flags = 0; 146 OM_uint32 time_req = 25; 147 gss_channel_bindings_t input_chan_bindings = NULL; 148 gss_buffer_desc input_token = { 0, NULL }; 149 gss_OID actual_mech_type= NULL; 150 gss_buffer_desc output_token = { 0, NULL }; 151 OM_uint32 ret_flags = 0; 152 OM_uint32 time_rec = 0; 153 for (size_t i = 0; i < arraysize(queries); ++i) { 154 major_status = mock_library->init_sec_context(&minor_status, 155 initiator_cred_handle, 156 &context_handle, 157 target_name, 158 mech_type, 159 req_flags, 160 time_req, 161 input_chan_bindings, 162 &input_token, 163 &actual_mech_type, 164 &output_token, 165 &ret_flags, 166 &time_rec); 167 EXPECT_EQ(queries[i].response_code, major_status); 168 CopyBuffer(&input_token, &output_token); 169 ClearBuffer(&output_token); 170 } 171 ClearBuffer(&input_token); 172 major_status = mock_library->delete_sec_context(&minor_status, 173 &context_handle, 174 GSS_C_NO_BUFFER); 175 EXPECT_EQ(static_cast<OM_uint32>(GSS_S_COMPLETE), major_status); 176 } 177 178 TEST(HttpAuthGSSAPITest, ParseChallenge_FirstRound) { 179 // The first round should just consist of an unadorned "Negotiate" header. 180 test::MockGSSAPILibrary mock_library; 181 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 182 CHROME_GSS_SPNEGO_MECH_OID_DESC); 183 std::string challenge_text = "Negotiate"; 184 HttpAuth::ChallengeTokenizer challenge(challenge_text.begin(), 185 challenge_text.end()); 186 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 187 auth_gssapi.ParseChallenge(&challenge)); 188 } 189 190 TEST(HttpAuthGSSAPITest, ParseChallenge_TwoRounds) { 191 // The first round should just have "Negotiate", and the second round should 192 // have a valid base64 token associated with it. 193 test::MockGSSAPILibrary mock_library; 194 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 195 CHROME_GSS_SPNEGO_MECH_OID_DESC); 196 std::string first_challenge_text = "Negotiate"; 197 HttpAuth::ChallengeTokenizer first_challenge(first_challenge_text.begin(), 198 first_challenge_text.end()); 199 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 200 auth_gssapi.ParseChallenge(&first_challenge)); 201 202 // Generate an auth token and create another thing. 203 EstablishInitialContext(&mock_library); 204 std::string auth_token; 205 EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", 206 &auth_token)); 207 208 std::string second_challenge_text = "Negotiate Zm9vYmFy"; 209 HttpAuth::ChallengeTokenizer second_challenge(second_challenge_text.begin(), 210 second_challenge_text.end()); 211 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 212 auth_gssapi.ParseChallenge(&second_challenge)); 213 } 214 215 TEST(HttpAuthGSSAPITest, ParseChallenge_UnexpectedTokenFirstRound) { 216 // If the first round challenge has an additional authentication token, it 217 // should be treated as an invalid challenge from the server. 218 test::MockGSSAPILibrary mock_library; 219 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 220 CHROME_GSS_SPNEGO_MECH_OID_DESC); 221 std::string challenge_text = "Negotiate Zm9vYmFy"; 222 HttpAuth::ChallengeTokenizer challenge(challenge_text.begin(), 223 challenge_text.end()); 224 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID, 225 auth_gssapi.ParseChallenge(&challenge)); 226 } 227 228 TEST(HttpAuthGSSAPITest, ParseChallenge_MissingTokenSecondRound) { 229 // If a later-round challenge is simply "Negotiate", it should be treated as 230 // an authentication challenge rejection from the server or proxy. 231 test::MockGSSAPILibrary mock_library; 232 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 233 CHROME_GSS_SPNEGO_MECH_OID_DESC); 234 std::string first_challenge_text = "Negotiate"; 235 HttpAuth::ChallengeTokenizer first_challenge(first_challenge_text.begin(), 236 first_challenge_text.end()); 237 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 238 auth_gssapi.ParseChallenge(&first_challenge)); 239 240 EstablishInitialContext(&mock_library); 241 std::string auth_token; 242 EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", 243 &auth_token)); 244 std::string second_challenge_text = "Negotiate"; 245 HttpAuth::ChallengeTokenizer second_challenge(second_challenge_text.begin(), 246 second_challenge_text.end()); 247 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_REJECT, 248 auth_gssapi.ParseChallenge(&second_challenge)); 249 } 250 251 TEST(HttpAuthGSSAPITest, ParseChallenge_NonBase64EncodedToken) { 252 // If a later-round challenge has an invalid base64 encoded token, it should 253 // be treated as an invalid challenge. 254 test::MockGSSAPILibrary mock_library; 255 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 256 CHROME_GSS_SPNEGO_MECH_OID_DESC); 257 std::string first_challenge_text = "Negotiate"; 258 HttpAuth::ChallengeTokenizer first_challenge(first_challenge_text.begin(), 259 first_challenge_text.end()); 260 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 261 auth_gssapi.ParseChallenge(&first_challenge)); 262 263 EstablishInitialContext(&mock_library); 264 std::string auth_token; 265 EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", 266 &auth_token)); 267 std::string second_challenge_text = "Negotiate =happyjoy="; 268 HttpAuth::ChallengeTokenizer second_challenge(second_challenge_text.begin(), 269 second_challenge_text.end()); 270 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID, 271 auth_gssapi.ParseChallenge(&second_challenge)); 272 } 273 274 } // namespace net 275