1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_auth_gssapi_posix.h" 6 7 #include "base/basictypes.h" 8 #include "base/logging.h" 9 #include "base/memory/scoped_ptr.h" 10 #include "base/native_library.h" 11 #include "net/base/net_errors.h" 12 #include "net/http/http_auth_challenge_tokenizer.h" 13 #include "net/http/mock_gssapi_library_posix.h" 14 #include "testing/gtest/include/gtest/gtest.h" 15 16 namespace net { 17 18 namespace { 19 20 // gss_buffer_t helpers. 21 void ClearBuffer(gss_buffer_t dest) { 22 if (!dest) 23 return; 24 dest->length = 0; 25 delete [] reinterpret_cast<char*>(dest->value); 26 dest->value = NULL; 27 } 28 29 void SetBuffer(gss_buffer_t dest, const void* src, size_t length) { 30 if (!dest) 31 return; 32 ClearBuffer(dest); 33 if (!src) 34 return; 35 dest->length = length; 36 if (length) { 37 dest->value = new char[length]; 38 memcpy(dest->value, src, length); 39 } 40 } 41 42 void CopyBuffer(gss_buffer_t dest, const gss_buffer_t src) { 43 if (!dest) 44 return; 45 ClearBuffer(dest); 46 if (!src) 47 return; 48 SetBuffer(dest, src->value, src->length); 49 } 50 51 const char kInitialAuthResponse[] = "Mary had a little lamb"; 52 53 void EstablishInitialContext(test::MockGSSAPILibrary* library) { 54 test::GssContextMockImpl context_info( 55 "localhost", // Source name 56 "example.com", // Target name 57 23, // Lifetime 58 *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 59 0, // Context flags 60 1, // Locally initiated 61 0); // Open 62 gss_buffer_desc in_buffer = {0, NULL}; 63 gss_buffer_desc out_buffer = {arraysize(kInitialAuthResponse), 64 const_cast<char*>(kInitialAuthResponse)}; 65 library->ExpectSecurityContext( 66 "Negotiate", 67 GSS_S_CONTINUE_NEEDED, 68 0, 69 context_info, 70 in_buffer, 71 out_buffer); 72 } 73 74 } // namespace 75 76 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup) { 77 // TODO(ahendrickson): Manipulate the libraries and paths to test each of the 78 // libraries we expect, and also whether or not they have the interface 79 // functions we want. 80 scoped_ptr<GSSAPILibrary> gssapi(new GSSAPISharedLibrary(std::string())); 81 DCHECK(gssapi.get()); 82 EXPECT_TRUE(gssapi.get()->Init()); 83 } 84 85 #if defined(DLOPEN_KERBEROS) 86 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPILoadCustomLibrary) { 87 scoped_ptr<GSSAPILibrary> gssapi( 88 new GSSAPISharedLibrary("/this/library/does/not/exist")); 89 EXPECT_FALSE(gssapi.get()->Init()); 90 } 91 #endif // defined(DLOPEN_KERBEROS) 92 93 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) { 94 scoped_ptr<test::MockGSSAPILibrary> mock_library(new test::MockGSSAPILibrary); 95 DCHECK(mock_library.get()); 96 mock_library->Init(); 97 const char kAuthResponse[] = "Mary had a little lamb"; 98 test::GssContextMockImpl context1( 99 "localhost", // Source name 100 "example.com", // Target name 101 23, // Lifetime 102 *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 103 0, // Context flags 104 1, // Locally initiated 105 0); // Open 106 test::GssContextMockImpl context2( 107 "localhost", // Source name 108 "example.com", // Target name 109 23, // Lifetime 110 *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 111 0, // Context flags 112 1, // Locally initiated 113 1); // Open 114 test::MockGSSAPILibrary::SecurityContextQuery queries[] = { 115 test::MockGSSAPILibrary::SecurityContextQuery( 116 "Negotiate", // Package name 117 GSS_S_CONTINUE_NEEDED, // Major response code 118 0, // Minor response code 119 context1, // Context 120 NULL, // Expected input token 121 kAuthResponse), // Output token 122 test::MockGSSAPILibrary::SecurityContextQuery( 123 "Negotiate", // Package name 124 GSS_S_COMPLETE, // Major response code 125 0, // Minor response code 126 context2, // Context 127 kAuthResponse, // Expected input token 128 kAuthResponse) // Output token 129 }; 130 131 for (size_t i = 0; i < arraysize(queries); ++i) { 132 mock_library->ExpectSecurityContext(queries[i].expected_package, 133 queries[i].response_code, 134 queries[i].minor_response_code, 135 queries[i].context_info, 136 queries[i].expected_input_token, 137 queries[i].output_token); 138 } 139 140 OM_uint32 major_status = 0; 141 OM_uint32 minor_status = 0; 142 gss_cred_id_t initiator_cred_handle = NULL; 143 gss_ctx_id_t context_handle = NULL; 144 gss_name_t target_name = NULL; 145 gss_OID mech_type = NULL; 146 OM_uint32 req_flags = 0; 147 OM_uint32 time_req = 25; 148 gss_channel_bindings_t input_chan_bindings = NULL; 149 gss_buffer_desc input_token = { 0, NULL }; 150 gss_OID actual_mech_type= NULL; 151 gss_buffer_desc output_token = { 0, NULL }; 152 OM_uint32 ret_flags = 0; 153 OM_uint32 time_rec = 0; 154 for (size_t i = 0; i < arraysize(queries); ++i) { 155 major_status = mock_library->init_sec_context(&minor_status, 156 initiator_cred_handle, 157 &context_handle, 158 target_name, 159 mech_type, 160 req_flags, 161 time_req, 162 input_chan_bindings, 163 &input_token, 164 &actual_mech_type, 165 &output_token, 166 &ret_flags, 167 &time_rec); 168 EXPECT_EQ(queries[i].response_code, major_status); 169 CopyBuffer(&input_token, &output_token); 170 ClearBuffer(&output_token); 171 } 172 ClearBuffer(&input_token); 173 major_status = mock_library->delete_sec_context(&minor_status, 174 &context_handle, 175 GSS_C_NO_BUFFER); 176 EXPECT_EQ(static_cast<OM_uint32>(GSS_S_COMPLETE), major_status); 177 } 178 179 TEST(HttpAuthGSSAPITest, ParseChallenge_FirstRound) { 180 // The first round should just consist of an unadorned "Negotiate" header. 181 test::MockGSSAPILibrary mock_library; 182 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 183 CHROME_GSS_SPNEGO_MECH_OID_DESC); 184 std::string challenge_text = "Negotiate"; 185 HttpAuthChallengeTokenizer challenge(challenge_text.begin(), 186 challenge_text.end()); 187 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 188 auth_gssapi.ParseChallenge(&challenge)); 189 } 190 191 TEST(HttpAuthGSSAPITest, ParseChallenge_TwoRounds) { 192 // The first round should just have "Negotiate", and the second round should 193 // have a valid base64 token associated with it. 194 test::MockGSSAPILibrary mock_library; 195 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 196 CHROME_GSS_SPNEGO_MECH_OID_DESC); 197 std::string first_challenge_text = "Negotiate"; 198 HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(), 199 first_challenge_text.end()); 200 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 201 auth_gssapi.ParseChallenge(&first_challenge)); 202 203 // Generate an auth token and create another thing. 204 EstablishInitialContext(&mock_library); 205 std::string auth_token; 206 EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", 207 &auth_token)); 208 209 std::string second_challenge_text = "Negotiate Zm9vYmFy"; 210 HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(), 211 second_challenge_text.end()); 212 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 213 auth_gssapi.ParseChallenge(&second_challenge)); 214 } 215 216 TEST(HttpAuthGSSAPITest, ParseChallenge_UnexpectedTokenFirstRound) { 217 // If the first round challenge has an additional authentication token, it 218 // should be treated as an invalid challenge from the server. 219 test::MockGSSAPILibrary mock_library; 220 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 221 CHROME_GSS_SPNEGO_MECH_OID_DESC); 222 std::string challenge_text = "Negotiate Zm9vYmFy"; 223 HttpAuthChallengeTokenizer challenge(challenge_text.begin(), 224 challenge_text.end()); 225 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID, 226 auth_gssapi.ParseChallenge(&challenge)); 227 } 228 229 TEST(HttpAuthGSSAPITest, ParseChallenge_MissingTokenSecondRound) { 230 // If a later-round challenge is simply "Negotiate", it should be treated as 231 // an authentication challenge rejection from the server or proxy. 232 test::MockGSSAPILibrary mock_library; 233 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 234 CHROME_GSS_SPNEGO_MECH_OID_DESC); 235 std::string first_challenge_text = "Negotiate"; 236 HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(), 237 first_challenge_text.end()); 238 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 239 auth_gssapi.ParseChallenge(&first_challenge)); 240 241 EstablishInitialContext(&mock_library); 242 std::string auth_token; 243 EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", 244 &auth_token)); 245 std::string second_challenge_text = "Negotiate"; 246 HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(), 247 second_challenge_text.end()); 248 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_REJECT, 249 auth_gssapi.ParseChallenge(&second_challenge)); 250 } 251 252 TEST(HttpAuthGSSAPITest, ParseChallenge_NonBase64EncodedToken) { 253 // If a later-round challenge has an invalid base64 encoded token, it should 254 // be treated as an invalid challenge. 255 test::MockGSSAPILibrary mock_library; 256 HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", 257 CHROME_GSS_SPNEGO_MECH_OID_DESC); 258 std::string first_challenge_text = "Negotiate"; 259 HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(), 260 first_challenge_text.end()); 261 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT, 262 auth_gssapi.ParseChallenge(&first_challenge)); 263 264 EstablishInitialContext(&mock_library); 265 std::string auth_token; 266 EXPECT_EQ(OK, auth_gssapi.GenerateAuthToken(NULL, "HTTP/intranet.google.com", 267 &auth_token)); 268 std::string second_challenge_text = "Negotiate =happyjoy="; 269 HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(), 270 second_challenge_text.end()); 271 EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID, 272 auth_gssapi.ParseChallenge(&second_challenge)); 273 } 274 275 } // namespace net 276