Home | History | Annotate | Download | only in http
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "net/http/http_auth_handler_negotiate.h"
      6 
      7 #include "base/strings/string_util.h"
      8 #include "base/strings/utf_string_conversions.h"
      9 #include "net/base/net_errors.h"
     10 #include "net/base/test_completion_callback.h"
     11 #include "net/dns/mock_host_resolver.h"
     12 #include "net/http/http_request_info.h"
     13 #include "net/http/mock_allow_url_security_manager.h"
     14 #if defined(OS_WIN)
     15 #include "net/http/mock_sspi_library_win.h"
     16 #elif defined(OS_POSIX)
     17 #include "net/http/mock_gssapi_library_posix.h"
     18 #endif
     19 #include "testing/gtest/include/gtest/gtest.h"
     20 #include "testing/platform_test.h"
     21 
     22 #if defined(OS_WIN)
     23 typedef net::MockSSPILibrary MockAuthLibrary;
     24 #elif defined(OS_POSIX)
     25 typedef net::test::MockGSSAPILibrary MockAuthLibrary;
     26 #endif
     27 
     28 namespace net {
     29 
     30 class HttpAuthHandlerNegotiateTest : public PlatformTest {
     31  public:
     32   virtual void SetUp() {
     33     auth_library_ = new MockAuthLibrary();
     34     resolver_.reset(new MockHostResolver());
     35     resolver_->rules()->AddIPLiteralRule("alias", "10.0.0.2",
     36                                            "canonical.example.com");
     37 
     38     url_security_manager_.reset(new MockAllowURLSecurityManager());
     39     factory_.reset(new HttpAuthHandlerNegotiate::Factory());
     40     factory_->set_url_security_manager(url_security_manager_.get());
     41     factory_->set_library(auth_library_);
     42     factory_->set_host_resolver(resolver_.get());
     43   }
     44 
     45   void SetupMocks(MockAuthLibrary* mock_library) {
     46 #if defined(OS_WIN)
     47     security_package_.reset(new SecPkgInfoW);
     48     memset(security_package_.get(), 0x0, sizeof(SecPkgInfoW));
     49     security_package_->cbMaxToken = 1337;
     50     mock_library->ExpectQuerySecurityPackageInfo(
     51         L"Negotiate", SEC_E_OK, security_package_.get());
     52 #elif defined(OS_POSIX)
     53     // Copied from an actual transaction!
     54     static const char kAuthResponse[] =
     55         "\x60\x82\x02\xCA\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01"
     56         "\x00\x6E\x82\x02\xB9\x30\x82\x02\xB5\xA0\x03\x02\x01\x05\xA1\x03"
     57         "\x02\x01\x0E\xA2\x07\x03\x05\x00\x00\x00\x00\x00\xA3\x82\x01\xC1"
     58         "\x61\x82\x01\xBD\x30\x82\x01\xB9\xA0\x03\x02\x01\x05\xA1\x16\x1B"
     59         "\x14\x55\x4E\x49\x58\x2E\x43\x4F\x52\x50\x2E\x47\x4F\x4F\x47\x4C"
     60         "\x45\x2E\x43\x4F\x4D\xA2\x2C\x30\x2A\xA0\x03\x02\x01\x01\xA1\x23"
     61         "\x30\x21\x1B\x04\x68\x6F\x73\x74\x1B\x19\x6E\x69\x6E\x6A\x61\x2E"
     62         "\x63\x61\x6D\x2E\x63\x6F\x72\x70\x2E\x67\x6F\x6F\x67\x6C\x65\x2E"
     63         "\x63\x6F\x6D\xA3\x82\x01\x6A\x30\x82\x01\x66\xA0\x03\x02\x01\x10"
     64         "\xA1\x03\x02\x01\x01\xA2\x82\x01\x58\x04\x82\x01\x54\x2C\xB1\x2B"
     65         "\x0A\xA5\xFF\x6F\xEC\xDE\xB0\x19\x6E\x15\x20\x18\x0C\x42\xB3\x2C"
     66         "\x4B\xB0\x37\x02\xDE\xD3\x2F\xB4\xBF\xCA\xEC\x0E\xF9\xF3\x45\x6A"
     67         "\x43\xF3\x8D\x79\xBD\xCB\xCD\xB2\x2B\xB8\xFC\xD6\xB4\x7F\x09\x48"
     68         "\x14\xA7\x4F\xD2\xEE\xBC\x1B\x2F\x18\x3B\x81\x97\x7B\x28\xA4\xAF"
     69         "\xA8\xA3\x7A\x31\x1B\xFC\x97\xB6\xBA\x8A\x50\x50\xD7\x44\xB8\x30"
     70         "\xA4\x51\x4C\x3A\x95\x6C\xA1\xED\xE2\xEF\x17\xFE\xAB\xD2\xE4\x70"
     71         "\xDE\xEB\x7E\x86\x48\xC5\x3E\x19\x5B\x83\x17\xBB\x52\x26\xC0\xF3"
     72         "\x38\x0F\xB0\x8C\x72\xC9\xB0\x8B\x99\x96\x18\xE1\x9E\x67\x9D\xDC"
     73         "\xF5\x39\x80\x70\x35\x3F\x98\x72\x16\x44\xA2\xC0\x10\xAA\x70\xBD"
     74         "\x06\x6F\x83\xB1\xF4\x67\xA4\xBD\xDA\xF7\x79\x1D\x96\xB5\x7E\xF8"
     75         "\xC6\xCF\xB4\xD9\x51\xC9\xBB\xB4\x20\x3C\xDD\xB9\x2C\x38\xEA\x40"
     76         "\xFB\x02\x6C\xCB\x48\x71\xE8\xF4\x34\x5B\x63\x5D\x13\x57\xBD\xD1"
     77         "\x3D\xDE\xE8\x4A\x51\x6E\xBE\x4C\xF5\xA3\x84\xF7\x4C\x4E\x58\x04"
     78         "\xBE\xD1\xCC\x22\xA0\x43\xB0\x65\x99\x6A\xE0\x78\x0D\xFC\xE1\x42"
     79         "\xA9\x18\xCF\x55\x4D\x23\xBD\x5C\x0D\xB5\x48\x25\x47\xCC\x01\x54"
     80         "\x36\x4D\x0C\x6F\xAC\xCD\x33\x21\xC5\x63\x18\x91\x68\x96\xE9\xD1"
     81         "\xD8\x23\x1F\x21\xAE\x96\xA3\xBD\x27\xF7\x4B\xEF\x4C\x43\xFF\xF8"
     82         "\x22\x57\xCF\x68\x6C\x35\xD5\x21\x48\x5B\x5F\x8F\xA5\xB9\x6F\x99"
     83         "\xA6\xE0\x6E\xF0\xC5\x7C\x91\xC8\x0B\x8A\x4B\x4E\x80\x59\x02\xE9"
     84         "\xE8\x3F\x87\x04\xA6\xD1\xCA\x26\x3C\xF0\xDA\x57\xFA\xE6\xAF\x25"
     85         "\x43\x34\xE1\xA4\x06\x1A\x1C\xF4\xF5\x21\x9C\x00\x98\xDD\xF0\xB4"
     86         "\x8E\xA4\x81\xDA\x30\x81\xD7\xA0\x03\x02\x01\x10\xA2\x81\xCF\x04"
     87         "\x81\xCC\x20\x39\x34\x60\x19\xF9\x4C\x26\x36\x46\x99\x7A\xFD\x2B"
     88         "\x50\x8B\x2D\x47\x72\x38\x20\x43\x0E\x6E\x28\xB3\xA7\x4F\x26\xF1"
     89         "\xF1\x7B\x02\x63\x58\x5A\x7F\xC8\xD0\x6E\xF5\xD1\xDA\x28\x43\x1B"
     90         "\x6D\x9F\x59\x64\xDE\x90\xEA\x6C\x8C\xA9\x1B\x1E\x92\x29\x24\x23"
     91         "\x2C\xE3\xEA\x64\xEF\x91\xA5\x4E\x94\xE1\xDC\x56\x3A\xAF\xD5\xBC"
     92         "\xC9\xD3\x9B\x6B\x1F\xBE\x40\xE5\x40\xFF\x5E\x21\xEA\xCE\xFC\xD5"
     93         "\xB0\xE5\xBA\x10\x94\xAE\x16\x54\xFC\xEB\xAB\xF1\xD4\x20\x31\xCC"
     94         "\x26\xFE\xBE\xFE\x22\xB6\x9B\x1A\xE5\x55\x2C\x93\xB7\x3B\xD6\x4C"
     95         "\x35\x35\xC1\x59\x61\xD4\x1F\x2E\x4C\xE1\x72\x8F\x71\x4B\x0C\x39"
     96         "\x80\x79\xFA\xCD\xEA\x71\x1B\xAE\x35\x41\xED\xF9\x65\x0C\x59\xF8"
     97         "\xE1\x27\xDA\xD6\xD1\x20\x32\xCD\xBF\xD1\xEF\xE2\xED\xAD\x5D\xA7"
     98         "\x69\xE3\x55\xF9\x30\xD3\xD4\x08\xC8\xCA\x62\xF8\x64\xEC\x9B\x92"
     99         "\x1A\xF1\x03\x2E\xCC\xDC\xEB\x17\xDE\x09\xAC\xA9\x58\x86";
    100     test::GssContextMockImpl context1(
    101         "localhost",                         // Source name
    102         "example.com",                       // Target name
    103         23,                                  // Lifetime
    104         *CHROME_GSS_SPNEGO_MECH_OID_DESC,    // Mechanism
    105         0,                                   // Context flags
    106         1,                                   // Locally initiated
    107         0);                                  // Open
    108     test::GssContextMockImpl context2(
    109         "localhost",                         // Source name
    110         "example.com",                       // Target name
    111         23,                                  // Lifetime
    112         *CHROME_GSS_SPNEGO_MECH_OID_DESC,    // Mechanism
    113         0,                                   // Context flags
    114         1,                                   // Locally initiated
    115         1);                                  // Open
    116     test::MockGSSAPILibrary::SecurityContextQuery queries[] = {
    117     test::MockGSSAPILibrary::SecurityContextQuery(
    118         "Negotiate",                    // Package name
    119         GSS_S_CONTINUE_NEEDED,          // Major response code
    120         0,                              // Minor response code
    121         context1,                       // Context
    122         NULL,                           // Expected input token
    123         kAuthResponse),                 // Output token
    124     test::MockGSSAPILibrary::SecurityContextQuery(
    125         "Negotiate",                    // Package name
    126         GSS_S_COMPLETE,                 // Major response code
    127         0,                              // Minor response code
    128         context2,                       // Context
    129         kAuthResponse,                  // Expected input token
    130         kAuthResponse)                  // Output token
    131     };
    132 
    133     for (size_t i = 0; i < arraysize(queries); ++i) {
    134       mock_library->ExpectSecurityContext(queries[i].expected_package,
    135                                           queries[i].response_code,
    136                                           queries[i].minor_response_code,
    137                                           queries[i].context_info,
    138                                           queries[i].expected_input_token,
    139                                           queries[i].output_token);
    140     }
    141 #endif  // defined(OS_POSIX)
    142   }
    143 
    144 #if defined(OS_POSIX)
    145   void SetupErrorMocks(MockAuthLibrary* mock_library,
    146                        int major_status,
    147                        int minor_status) {
    148     const gss_OID_desc kDefaultMech = { 0, NULL };
    149     test::GssContextMockImpl context(
    150         "localhost",                    // Source name
    151         "example.com",                  // Target name
    152         0,                              // Lifetime
    153         kDefaultMech,                   // Mechanism
    154         0,                              // Context flags
    155         1,                              // Locally initiated
    156         0);                             // Open
    157     test::MockGSSAPILibrary::SecurityContextQuery query(
    158         "Negotiate",                    // Package name
    159         major_status,                   // Major response code
    160         minor_status,                   // Minor response code
    161         context,                        // Context
    162         NULL,                           // Expected input token
    163         NULL);                          // Output token
    164 
    165     mock_library->ExpectSecurityContext(query.expected_package,
    166                                         query.response_code,
    167                                         query.minor_response_code,
    168                                         query.context_info,
    169                                         query.expected_input_token,
    170                                         query.output_token);
    171   }
    172 
    173 #endif  // defined(OS_POSIX)
    174 
    175   int CreateHandler(bool disable_cname_lookup, bool use_port,
    176                      bool synchronous_resolve_mode,
    177                      const std::string& url_string,
    178                      scoped_ptr<HttpAuthHandlerNegotiate>* handler) {
    179     factory_->set_disable_cname_lookup(disable_cname_lookup);
    180     factory_->set_use_port(use_port);
    181     resolver_->set_synchronous_mode(synchronous_resolve_mode);
    182     GURL gurl(url_string);
    183 
    184     // Note: This is a little tricky because CreateAuthHandlerFromString
    185     // expects a scoped_ptr<HttpAuthHandler>* rather than a
    186     // scoped_ptr<HttpAuthHandlerNegotiate>*. This needs to do the cast
    187     // after creating the handler, and make sure that generic_handler
    188     // no longer holds on to the HttpAuthHandlerNegotiate object.
    189     scoped_ptr<HttpAuthHandler> generic_handler;
    190     int rv = factory_->CreateAuthHandlerFromString("Negotiate",
    191                                                    HttpAuth::AUTH_SERVER,
    192                                                    gurl,
    193                                                    BoundNetLog(),
    194                                                    &generic_handler);
    195     if (rv != OK)
    196       return rv;
    197     HttpAuthHandlerNegotiate* negotiate_handler =
    198         static_cast<HttpAuthHandlerNegotiate*>(generic_handler.release());
    199     handler->reset(negotiate_handler);
    200     return rv;
    201   }
    202 
    203   MockAuthLibrary* AuthLibrary() { return auth_library_; }
    204 
    205  private:
    206 #if defined(OS_WIN)
    207   scoped_ptr<SecPkgInfoW> security_package_;
    208 #endif
    209   // |auth_library_| is passed to |factory_|, which assumes ownership of it.
    210   MockAuthLibrary* auth_library_;
    211   scoped_ptr<MockHostResolver> resolver_;
    212   scoped_ptr<URLSecurityManager> url_security_manager_;
    213   scoped_ptr<HttpAuthHandlerNegotiate::Factory> factory_;
    214 };
    215 
    216 TEST_F(HttpAuthHandlerNegotiateTest, DisableCname) {
    217   SetupMocks(AuthLibrary());
    218   scoped_ptr<HttpAuthHandlerNegotiate> auth_handler;
    219   EXPECT_EQ(OK, CreateHandler(
    220       true, false, true, "http://alias:500", &auth_handler));
    221 
    222   ASSERT_TRUE(auth_handler.get() != NULL);
    223   TestCompletionCallback callback;
    224   HttpRequestInfo request_info;
    225   std::string token;
    226   EXPECT_EQ(OK, auth_handler->GenerateAuthToken(NULL, &request_info,
    227                                                 callback.callback(), &token));
    228 #if defined(OS_WIN)
    229   EXPECT_EQ("HTTP/alias", auth_handler->spn());
    230 #elif defined(OS_POSIX)
    231   EXPECT_EQ("HTTP@alias", auth_handler->spn());
    232 #endif
    233 }
    234 
    235 TEST_F(HttpAuthHandlerNegotiateTest, DisableCnameStandardPort) {
    236   SetupMocks(AuthLibrary());
    237   scoped_ptr<HttpAuthHandlerNegotiate> auth_handler;
    238   EXPECT_EQ(OK, CreateHandler(
    239       true, true, true, "http://alias:80", &auth_handler));
    240   ASSERT_TRUE(auth_handler.get() != NULL);
    241   TestCompletionCallback callback;
    242   HttpRequestInfo request_info;
    243   std::string token;
    244   EXPECT_EQ(OK, auth_handler->GenerateAuthToken(NULL, &request_info,
    245                                                 callback.callback(), &token));
    246 #if defined(OS_WIN)
    247   EXPECT_EQ("HTTP/alias", auth_handler->spn());
    248 #elif defined(OS_POSIX)
    249   EXPECT_EQ("HTTP@alias", auth_handler->spn());
    250 #endif
    251 }
    252 
    253 TEST_F(HttpAuthHandlerNegotiateTest, DisableCnameNonstandardPort) {
    254   SetupMocks(AuthLibrary());
    255   scoped_ptr<HttpAuthHandlerNegotiate> auth_handler;
    256   EXPECT_EQ(OK, CreateHandler(
    257       true, true, true, "http://alias:500", &auth_handler));
    258   ASSERT_TRUE(auth_handler.get() != NULL);
    259   TestCompletionCallback callback;
    260   HttpRequestInfo request_info;
    261   std::string token;
    262   EXPECT_EQ(OK, auth_handler->GenerateAuthToken(NULL, &request_info,
    263                                                 callback.callback(), &token));
    264 #if defined(OS_WIN)
    265   EXPECT_EQ("HTTP/alias:500", auth_handler->spn());
    266 #elif defined(OS_POSIX)
    267   EXPECT_EQ("HTTP@alias:500", auth_handler->spn());
    268 #endif
    269 }
    270 
    271 TEST_F(HttpAuthHandlerNegotiateTest, CnameSync) {
    272   SetupMocks(AuthLibrary());
    273   scoped_ptr<HttpAuthHandlerNegotiate> auth_handler;
    274   EXPECT_EQ(OK, CreateHandler(
    275       false, false, true, "http://alias:500", &auth_handler));
    276   ASSERT_TRUE(auth_handler.get() != NULL);
    277   TestCompletionCallback callback;
    278   HttpRequestInfo request_info;
    279   std::string token;
    280   EXPECT_EQ(OK, auth_handler->GenerateAuthToken(NULL, &request_info,
    281                                                 callback.callback(), &token));
    282 #if defined(OS_WIN)
    283   EXPECT_EQ("HTTP/canonical.example.com", auth_handler->spn());
    284 #elif defined(OS_POSIX)
    285   EXPECT_EQ("HTTP (at) canonical.example.com", auth_handler->spn());
    286 #endif
    287 }
    288 
    289 TEST_F(HttpAuthHandlerNegotiateTest, CnameAsync) {
    290   SetupMocks(AuthLibrary());
    291   scoped_ptr<HttpAuthHandlerNegotiate> auth_handler;
    292   EXPECT_EQ(OK, CreateHandler(
    293       false, false, false, "http://alias:500", &auth_handler));
    294   ASSERT_TRUE(auth_handler.get() != NULL);
    295   TestCompletionCallback callback;
    296   HttpRequestInfo request_info;
    297   std::string token;
    298   EXPECT_EQ(ERR_IO_PENDING, auth_handler->GenerateAuthToken(
    299       NULL, &request_info, callback.callback(), &token));
    300   EXPECT_EQ(OK, callback.WaitForResult());
    301 #if defined(OS_WIN)
    302   EXPECT_EQ("HTTP/canonical.example.com", auth_handler->spn());
    303 #elif defined(OS_POSIX)
    304   EXPECT_EQ("HTTP (at) canonical.example.com", auth_handler->spn());
    305 #endif
    306 }
    307 
    308 #if defined(OS_POSIX)
    309 
    310 // This test is only for GSSAPI, as we can't use explicit credentials with
    311 // that library.
    312 TEST_F(HttpAuthHandlerNegotiateTest, ServerNotInKerberosDatabase) {
    313   SetupErrorMocks(AuthLibrary(), GSS_S_FAILURE, 0x96C73A07);  // No server
    314   scoped_ptr<HttpAuthHandlerNegotiate> auth_handler;
    315   EXPECT_EQ(OK, CreateHandler(
    316       false, false, false, "http://alias:500", &auth_handler));
    317   ASSERT_TRUE(auth_handler.get() != NULL);
    318   TestCompletionCallback callback;
    319   HttpRequestInfo request_info;
    320   std::string token;
    321   EXPECT_EQ(ERR_IO_PENDING, auth_handler->GenerateAuthToken(
    322       NULL, &request_info, callback.callback(), &token));
    323   EXPECT_EQ(ERR_MISSING_AUTH_CREDENTIALS, callback.WaitForResult());
    324 }
    325 
    326 // This test is only for GSSAPI, as we can't use explicit credentials with
    327 // that library.
    328 TEST_F(HttpAuthHandlerNegotiateTest, NoKerberosCredentials) {
    329   SetupErrorMocks(AuthLibrary(), GSS_S_FAILURE, 0x96C73AC3);  // No credentials
    330   scoped_ptr<HttpAuthHandlerNegotiate> auth_handler;
    331   EXPECT_EQ(OK, CreateHandler(
    332       false, false, false, "http://alias:500", &auth_handler));
    333   ASSERT_TRUE(auth_handler.get() != NULL);
    334   TestCompletionCallback callback;
    335   HttpRequestInfo request_info;
    336   std::string token;
    337   EXPECT_EQ(ERR_IO_PENDING, auth_handler->GenerateAuthToken(
    338       NULL, &request_info, callback.callback(), &token));
    339   EXPECT_EQ(ERR_MISSING_AUTH_CREDENTIALS, callback.WaitForResult());
    340 }
    341 
    342 #if defined(DLOPEN_KERBEROS)
    343 TEST_F(HttpAuthHandlerNegotiateTest, MissingGSSAPI) {
    344   scoped_ptr<HostResolver> host_resolver(new MockHostResolver());
    345   MockAllowURLSecurityManager url_security_manager;
    346   scoped_ptr<HttpAuthHandlerNegotiate::Factory> negotiate_factory(
    347       new HttpAuthHandlerNegotiate::Factory());
    348   negotiate_factory->set_host_resolver(host_resolver.get());
    349   negotiate_factory->set_url_security_manager(&url_security_manager);
    350   negotiate_factory->set_library(
    351       new GSSAPISharedLibrary("/this/library/does/not/exist"));
    352 
    353   GURL gurl("http://www.example.com");
    354   scoped_ptr<HttpAuthHandler> generic_handler;
    355   int rv = negotiate_factory->CreateAuthHandlerFromString(
    356       "Negotiate",
    357       HttpAuth::AUTH_SERVER,
    358       gurl,
    359       BoundNetLog(),
    360       &generic_handler);
    361   EXPECT_EQ(ERR_UNSUPPORTED_AUTH_SCHEME, rv);
    362   EXPECT_TRUE(generic_handler.get() == NULL);
    363 }
    364 #endif  // defined(DLOPEN_KERBEROS)
    365 
    366 #endif  // defined(OS_POSIX)
    367 
    368 }  // namespace net
    369