blob: 95ae9f9145944fe71ee18980d7d6bb7b082bdec8 [file] [log] [blame]
// Copyright 2011 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/http/http_auth_sspi_win.h"
#include <vector>
#include "base/base64.h"
#include "base/functional/bind.h"
#include "base/json/json_reader.h"
#include "net/base/net_errors.h"
#include "net/http/http_auth.h"
#include "net/http/http_auth_challenge_tokenizer.h"
#include "net/http/mock_sspi_library_win.h"
#include "net/log/net_log_entry.h"
#include "net/log/net_log_event_type.h"
#include "net/log/net_log_with_source.h"
#include "net/log/test_net_log.h"
#include "net/test/gtest_util.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
using net::test::IsError;
using net::test::IsOk;
namespace net {
namespace {
void MatchDomainUserAfterSplit(const std::u16string& combined,
const std::u16string& expected_domain,
const std::u16string& expected_user) {
std::u16string actual_domain;
std::u16string actual_user;
SplitDomainAndUser(combined, &actual_domain, &actual_user);
EXPECT_EQ(expected_domain, actual_domain);
EXPECT_EQ(expected_user, actual_user);
}
const ULONG kMaxTokenLength = 100;
void UnexpectedCallback(int result) {
// At present getting tokens from gssapi is fully synchronous, so the callback
// should never be called.
ADD_FAILURE();
}
} // namespace
TEST(HttpAuthSSPITest, SplitUserAndDomain) {
MatchDomainUserAfterSplit(u"foobar", u"", u"foobar");
MatchDomainUserAfterSplit(u"FOO\\bar", u"FOO", u"bar");
}
TEST(HttpAuthSSPITest, DetermineMaxTokenLength_Normal) {
SecPkgInfoW package_info;
memset(&package_info, 0x0, sizeof(package_info));
package_info.cbMaxToken = 1337;
MockSSPILibrary mock_library{L"NTLM"};
mock_library.ExpectQuerySecurityPackageInfo(SEC_E_OK, &package_info);
ULONG max_token_length = kMaxTokenLength;
int rv = mock_library.DetermineMaxTokenLength(&max_token_length);
EXPECT_THAT(rv, IsOk());
EXPECT_EQ(1337u, max_token_length);
}
TEST(HttpAuthSSPITest, DetermineMaxTokenLength_InvalidPackage) {
MockSSPILibrary mock_library{L"Foo"};
mock_library.ExpectQuerySecurityPackageInfo(SEC_E_SECPKG_NOT_FOUND, nullptr);
ULONG max_token_length = kMaxTokenLength;
int rv = mock_library.DetermineMaxTokenLength(&max_token_length);
EXPECT_THAT(rv, IsError(ERR_UNSUPPORTED_AUTH_SCHEME));
// |DetermineMaxTokenLength()| interface states that |max_token_length| should
// not change on failure.
EXPECT_EQ(100u, max_token_length);
}
TEST(HttpAuthSSPITest, ParseChallenge_FirstRound) {
// The first round should just consist of an unadorned "Negotiate" header.
MockSSPILibrary mock_library{NEGOSSP_NAME};
HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
std::string challenge_text = "Negotiate";
HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&challenge));
}
TEST(HttpAuthSSPITest, ParseChallenge_TwoRounds) {
// The first round should just have "Negotiate", and the second round should
// have a valid base64 token associated with it.
MockSSPILibrary mock_library{NEGOSSP_NAME};
HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
std::string first_challenge_text = "Negotiate";
HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
first_challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&first_challenge));
// Generate an auth token and create another thing.
std::string auth_token;
EXPECT_EQ(OK,
auth_sspi.GenerateAuthToken(
nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
std::string second_challenge_text = "Negotiate Zm9vYmFy";
HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
second_challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&second_challenge));
}
TEST(HttpAuthSSPITest, ParseChallenge_UnexpectedTokenFirstRound) {
// If the first round challenge has an additional authentication token, it
// should be treated as an invalid challenge from the server.
MockSSPILibrary mock_library{NEGOSSP_NAME};
HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
std::string challenge_text = "Negotiate Zm9vYmFy";
HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
auth_sspi.ParseChallenge(&challenge));
}
TEST(HttpAuthSSPITest, ParseChallenge_MissingTokenSecondRound) {
// If a later-round challenge is simply "Negotiate", it should be treated as
// an authentication challenge rejection from the server or proxy.
MockSSPILibrary mock_library{NEGOSSP_NAME};
HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
std::string first_challenge_text = "Negotiate";
HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
first_challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&first_challenge));
std::string auth_token;
EXPECT_EQ(OK,
auth_sspi.GenerateAuthToken(
nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
std::string second_challenge_text = "Negotiate";
HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
second_challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_REJECT,
auth_sspi.ParseChallenge(&second_challenge));
}
TEST(HttpAuthSSPITest, ParseChallenge_NonBase64EncodedToken) {
// If a later-round challenge has an invalid base64 encoded token, it should
// be treated as an invalid challenge.
MockSSPILibrary mock_library{NEGOSSP_NAME};
HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
std::string first_challenge_text = "Negotiate";
HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
first_challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&first_challenge));
std::string auth_token;
EXPECT_EQ(OK,
auth_sspi.GenerateAuthToken(
nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
std::string second_challenge_text = "Negotiate =happyjoy=";
HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
second_challenge_text.end());
EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
auth_sspi.ParseChallenge(&second_challenge));
}
// Runs through a full handshake against the MockSSPILibrary.
TEST(HttpAuthSSPITest, GenerateAuthToken_FullHandshake_AmbientCreds) {
MockSSPILibrary mock_library{NEGOSSP_NAME};
HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
std::string first_challenge_text = "Negotiate";
HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
first_challenge_text.end());
ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&first_challenge));
std::string auth_token;
ASSERT_EQ(OK,
auth_sspi.GenerateAuthToken(
nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
EXPECT_EQ("Negotiate ", auth_token.substr(0, 10));
std::string decoded_token;
ASSERT_TRUE(base::Base64Decode(auth_token.substr(10), &decoded_token));
// This token string indicates that HttpAuthSSPI correctly established the
// security context using the default credentials.
EXPECT_EQ("<Default>'s token #1 for HTTP/intranet.google.com", decoded_token);
// The server token is arbitrary.
std::string second_challenge_text = "Negotiate UmVzcG9uc2U=";
HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
second_challenge_text.end());
ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&second_challenge));
ASSERT_EQ(OK,
auth_sspi.GenerateAuthToken(
nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
NetLogWithSource(), base::BindOnce(&UnexpectedCallback)));
ASSERT_EQ("Negotiate ", auth_token.substr(0, 10));
ASSERT_TRUE(base::Base64Decode(auth_token.substr(10), &decoded_token));
EXPECT_EQ("<Default>'s token #2 for HTTP/intranet.google.com", decoded_token);
}
// Test NetLogs produced while going through a full Negotiate handshake.
TEST(HttpAuthSSPITest, GenerateAuthToken_FullHandshake_AmbientCreds_Logging) {
RecordingNetLogObserver net_log_observer;
NetLogWithSource net_log_with_source =
NetLogWithSource::Make(NetLogSourceType::NONE);
MockSSPILibrary mock_library{NEGOSSP_NAME};
HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
std::string first_challenge_text = "Negotiate";
HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
first_challenge_text.end());
ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&first_challenge));
std::string auth_token;
ASSERT_EQ(OK,
auth_sspi.GenerateAuthToken(
nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
net_log_with_source, base::BindOnce(&UnexpectedCallback)));
// The token is the ASCII string "Response" in base64.
std::string second_challenge_text = "Negotiate UmVzcG9uc2U=";
HttpAuthChallengeTokenizer second_challenge(second_challenge_text.begin(),
second_challenge_text.end());
ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
auth_sspi.ParseChallenge(&second_challenge));
ASSERT_EQ(OK,
auth_sspi.GenerateAuthToken(
nullptr, "HTTP/intranet.google.com", std::string(), &auth_token,
net_log_with_source, base::BindOnce(&UnexpectedCallback)));
auto entries = net_log_observer.GetEntriesWithType(
NetLogEventType::AUTH_LIBRARY_ACQUIRE_CREDS);
ASSERT_EQ(2u, entries.size()); // BEGIN and END.
auto expected = base::JSONReader::Read(R"(
{
"status": {
"net_error": 0,
"security_status": 0
}
}
)");
EXPECT_EQ(expected, entries[1].params);
entries = net_log_observer.GetEntriesWithType(
NetLogEventType::AUTH_LIBRARY_INIT_SEC_CTX);
ASSERT_EQ(4u, entries.size());
expected = base::JSONReader::Read(R"(
{
"flags": {
"delegated": false,
"mutual": false,
"value": "0x00000000"
},
"spn": "HTTP/intranet.google.com"
}
)");
EXPECT_EQ(expected, entries[0].params);
expected = base::JSONReader::Read(R"(
{
"context": {
"authority": "Dodgy Server",
"flags": {
"delegated": false,
"mutual": false,
"value": "0x00000000"
},
"mechanism": "Itsa me Kerberos!!",
"open": true,
"source": "\u003CDefault>",
"target": "HTTP/intranet.google.com"
},
"status": {
"net_error": 0,
"security_status": 0
}
}
)");
EXPECT_EQ(expected, entries[1].params);
expected = base::JSONReader::Read(R"(
{
"context": {
"authority": "Dodgy Server",
"flags": {
"delegated": false,
"mutual": false,
"value": "0x00000000"
},
"mechanism": "Itsa me Kerberos!!",
"open": false,
"source": "\u003CDefault>",
"target": "HTTP/intranet.google.com"
},
"status": {
"net_error": 0,
"security_status": 0
}
}
)");
EXPECT_EQ(expected, entries[3].params);
}
} // namespace net