1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "net/http/http_auth_handler_negotiate.h"
7 #include "base/strings/string_util.h"
8 #include "base/strings/utf_string_conversions.h"
9 #include "net/base/net_errors.h"
10 #include "net/base/test_completion_callback.h"
11 #include "net/dns/mock_host_resolver.h"
12 #include "net/http/http_request_info.h"
13 #include "net/http/mock_allow_url_security_manager.h"
15 #include "net/http/mock_sspi_library_win.h"
16 #elif defined(OS_POSIX)
17 #include "net/http/mock_gssapi_library_posix.h"
19 #include "testing/gtest/include/gtest/gtest.h"
20 #include "testing/platform_test.h"
23 typedef net::MockSSPILibrary MockAuthLibrary
;
24 #elif defined(OS_POSIX)
25 typedef net::test::MockGSSAPILibrary MockAuthLibrary
;
30 class HttpAuthHandlerNegotiateTest
: public PlatformTest
{
32 virtual void SetUp() {
33 auth_library_
= new MockAuthLibrary();
34 resolver_
.reset(new MockHostResolver());
35 resolver_
->rules()->AddIPLiteralRule("alias", "10.0.0.2",
36 "canonical.example.com");
38 url_security_manager_
.reset(new MockAllowURLSecurityManager());
39 factory_
.reset(new HttpAuthHandlerNegotiate::Factory());
40 factory_
->set_url_security_manager(url_security_manager_
.get());
41 factory_
->set_library(auth_library_
);
42 factory_
->set_host_resolver(resolver_
.get());
45 void SetupMocks(MockAuthLibrary
* mock_library
) {
47 security_package_
.reset(new SecPkgInfoW
);
48 memset(security_package_
.get(), 0x0, sizeof(SecPkgInfoW
));
49 security_package_
->cbMaxToken
= 1337;
50 mock_library
->ExpectQuerySecurityPackageInfo(
51 L
"Negotiate", SEC_E_OK
, security_package_
.get());
52 #elif defined(OS_POSIX)
53 // Copied from an actual transaction!
54 static const char kAuthResponse
[] =
55 "\x60\x82\x02\xCA\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01"
56 "\x00\x6E\x82\x02\xB9\x30\x82\x02\xB5\xA0\x03\x02\x01\x05\xA1\x03"
57 "\x02\x01\x0E\xA2\x07\x03\x05\x00\x00\x00\x00\x00\xA3\x82\x01\xC1"
58 "\x61\x82\x01\xBD\x30\x82\x01\xB9\xA0\x03\x02\x01\x05\xA1\x16\x1B"
59 "\x14\x55\x4E\x49\x58\x2E\x43\x4F\x52\x50\x2E\x47\x4F\x4F\x47\x4C"
60 "\x45\x2E\x43\x4F\x4D\xA2\x2C\x30\x2A\xA0\x03\x02\x01\x01\xA1\x23"
61 "\x30\x21\x1B\x04\x68\x6F\x73\x74\x1B\x19\x6E\x69\x6E\x6A\x61\x2E"
62 "\x63\x61\x6D\x2E\x63\x6F\x72\x70\x2E\x67\x6F\x6F\x67\x6C\x65\x2E"
63 "\x63\x6F\x6D\xA3\x82\x01\x6A\x30\x82\x01\x66\xA0\x03\x02\x01\x10"
64 "\xA1\x03\x02\x01\x01\xA2\x82\x01\x58\x04\x82\x01\x54\x2C\xB1\x2B"
65 "\x0A\xA5\xFF\x6F\xEC\xDE\xB0\x19\x6E\x15\x20\x18\x0C\x42\xB3\x2C"
66 "\x4B\xB0\x37\x02\xDE\xD3\x2F\xB4\xBF\xCA\xEC\x0E\xF9\xF3\x45\x6A"
67 "\x43\xF3\x8D\x79\xBD\xCB\xCD\xB2\x2B\xB8\xFC\xD6\xB4\x7F\x09\x48"
68 "\x14\xA7\x4F\xD2\xEE\xBC\x1B\x2F\x18\x3B\x81\x97\x7B\x28\xA4\xAF"
69 "\xA8\xA3\x7A\x31\x1B\xFC\x97\xB6\xBA\x8A\x50\x50\xD7\x44\xB8\x30"
70 "\xA4\x51\x4C\x3A\x95\x6C\xA1\xED\xE2\xEF\x17\xFE\xAB\xD2\xE4\x70"
71 "\xDE\xEB\x7E\x86\x48\xC5\x3E\x19\x5B\x83\x17\xBB\x52\x26\xC0\xF3"
72 "\x38\x0F\xB0\x8C\x72\xC9\xB0\x8B\x99\x96\x18\xE1\x9E\x67\x9D\xDC"
73 "\xF5\x39\x80\x70\x35\x3F\x98\x72\x16\x44\xA2\xC0\x10\xAA\x70\xBD"
74 "\x06\x6F\x83\xB1\xF4\x67\xA4\xBD\xDA\xF7\x79\x1D\x96\xB5\x7E\xF8"
75 "\xC6\xCF\xB4\xD9\x51\xC9\xBB\xB4\x20\x3C\xDD\xB9\x2C\x38\xEA\x40"
76 "\xFB\x02\x6C\xCB\x48\x71\xE8\xF4\x34\x5B\x63\x5D\x13\x57\xBD\xD1"
77 "\x3D\xDE\xE8\x4A\x51\x6E\xBE\x4C\xF5\xA3\x84\xF7\x4C\x4E\x58\x04"
78 "\xBE\xD1\xCC\x22\xA0\x43\xB0\x65\x99\x6A\xE0\x78\x0D\xFC\xE1\x42"
79 "\xA9\x18\xCF\x55\x4D\x23\xBD\x5C\x0D\xB5\x48\x25\x47\xCC\x01\x54"
80 "\x36\x4D\x0C\x6F\xAC\xCD\x33\x21\xC5\x63\x18\x91\x68\x96\xE9\xD1"
81 "\xD8\x23\x1F\x21\xAE\x96\xA3\xBD\x27\xF7\x4B\xEF\x4C\x43\xFF\xF8"
82 "\x22\x57\xCF\x68\x6C\x35\xD5\x21\x48\x5B\x5F\x8F\xA5\xB9\x6F\x99"
83 "\xA6\xE0\x6E\xF0\xC5\x7C\x91\xC8\x0B\x8A\x4B\x4E\x80\x59\x02\xE9"
84 "\xE8\x3F\x87\x04\xA6\xD1\xCA\x26\x3C\xF0\xDA\x57\xFA\xE6\xAF\x25"
85 "\x43\x34\xE1\xA4\x06\x1A\x1C\xF4\xF5\x21\x9C\x00\x98\xDD\xF0\xB4"
86 "\x8E\xA4\x81\xDA\x30\x81\xD7\xA0\x03\x02\x01\x10\xA2\x81\xCF\x04"
87 "\x81\xCC\x20\x39\x34\x60\x19\xF9\x4C\x26\x36\x46\x99\x7A\xFD\x2B"
88 "\x50\x8B\x2D\x47\x72\x38\x20\x43\x0E\x6E\x28\xB3\xA7\x4F\x26\xF1"
89 "\xF1\x7B\x02\x63\x58\x5A\x7F\xC8\xD0\x6E\xF5\xD1\xDA\x28\x43\x1B"
90 "\x6D\x9F\x59\x64\xDE\x90\xEA\x6C\x8C\xA9\x1B\x1E\x92\x29\x24\x23"
91 "\x2C\xE3\xEA\x64\xEF\x91\xA5\x4E\x94\xE1\xDC\x56\x3A\xAF\xD5\xBC"
92 "\xC9\xD3\x9B\x6B\x1F\xBE\x40\xE5\x40\xFF\x5E\x21\xEA\xCE\xFC\xD5"
93 "\xB0\xE5\xBA\x10\x94\xAE\x16\x54\xFC\xEB\xAB\xF1\xD4\x20\x31\xCC"
94 "\x26\xFE\xBE\xFE\x22\xB6\x9B\x1A\xE5\x55\x2C\x93\xB7\x3B\xD6\x4C"
95 "\x35\x35\xC1\x59\x61\xD4\x1F\x2E\x4C\xE1\x72\x8F\x71\x4B\x0C\x39"
96 "\x80\x79\xFA\xCD\xEA\x71\x1B\xAE\x35\x41\xED\xF9\x65\x0C\x59\xF8"
97 "\xE1\x27\xDA\xD6\xD1\x20\x32\xCD\xBF\xD1\xEF\xE2\xED\xAD\x5D\xA7"
98 "\x69\xE3\x55\xF9\x30\xD3\xD4\x08\xC8\xCA\x62\xF8\x64\xEC\x9B\x92"
99 "\x1A\xF1\x03\x2E\xCC\xDC\xEB\x17\xDE\x09\xAC\xA9\x58\x86";
100 test::GssContextMockImpl
context1(
101 "localhost", // Source name
102 "example.com", // Target name
104 *CHROME_GSS_SPNEGO_MECH_OID_DESC
, // Mechanism
106 1, // Locally initiated
108 test::GssContextMockImpl
context2(
109 "localhost", // Source name
110 "example.com", // Target name
112 *CHROME_GSS_SPNEGO_MECH_OID_DESC
, // Mechanism
114 1, // Locally initiated
116 test::MockGSSAPILibrary::SecurityContextQuery queries
[] = {
117 test::MockGSSAPILibrary::SecurityContextQuery(
118 "Negotiate", // Package name
119 GSS_S_CONTINUE_NEEDED
, // Major response code
120 0, // Minor response code
122 NULL
, // Expected input token
123 kAuthResponse
), // Output token
124 test::MockGSSAPILibrary::SecurityContextQuery(
125 "Negotiate", // Package name
126 GSS_S_COMPLETE
, // Major response code
127 0, // Minor response code
129 kAuthResponse
, // Expected input token
130 kAuthResponse
) // Output token
133 for (size_t i
= 0; i
< arraysize(queries
); ++i
) {
134 mock_library
->ExpectSecurityContext(queries
[i
].expected_package
,
135 queries
[i
].response_code
,
136 queries
[i
].minor_response_code
,
137 queries
[i
].context_info
,
138 queries
[i
].expected_input_token
,
139 queries
[i
].output_token
);
141 #endif // defined(OS_POSIX)
144 #if defined(OS_POSIX)
145 void SetupErrorMocks(MockAuthLibrary
* mock_library
,
148 const gss_OID_desc kDefaultMech
= { 0, NULL
};
149 test::GssContextMockImpl
context(
150 "localhost", // Source name
151 "example.com", // Target name
153 kDefaultMech
, // Mechanism
155 1, // Locally initiated
157 test::MockGSSAPILibrary::SecurityContextQuery
query(
158 "Negotiate", // Package name
159 major_status
, // Major response code
160 minor_status
, // Minor response code
162 NULL
, // Expected input token
163 NULL
); // Output token
165 mock_library
->ExpectSecurityContext(query
.expected_package
,
167 query
.minor_response_code
,
169 query
.expected_input_token
,
173 #endif // defined(OS_POSIX)
175 int CreateHandler(bool disable_cname_lookup
, bool use_port
,
176 bool synchronous_resolve_mode
,
177 const std::string
& url_string
,
178 scoped_ptr
<HttpAuthHandlerNegotiate
>* handler
) {
179 factory_
->set_disable_cname_lookup(disable_cname_lookup
);
180 factory_
->set_use_port(use_port
);
181 resolver_
->set_synchronous_mode(synchronous_resolve_mode
);
182 GURL
gurl(url_string
);
184 // Note: This is a little tricky because CreateAuthHandlerFromString
185 // expects a scoped_ptr<HttpAuthHandler>* rather than a
186 // scoped_ptr<HttpAuthHandlerNegotiate>*. This needs to do the cast
187 // after creating the handler, and make sure that generic_handler
188 // no longer holds on to the HttpAuthHandlerNegotiate object.
189 scoped_ptr
<HttpAuthHandler
> generic_handler
;
190 int rv
= factory_
->CreateAuthHandlerFromString("Negotiate",
191 HttpAuth::AUTH_SERVER
,
197 HttpAuthHandlerNegotiate
* negotiate_handler
=
198 static_cast<HttpAuthHandlerNegotiate
*>(generic_handler
.release());
199 handler
->reset(negotiate_handler
);
203 MockAuthLibrary
* AuthLibrary() { return auth_library_
; }
207 scoped_ptr
<SecPkgInfoW
> security_package_
;
209 // |auth_library_| is passed to |factory_|, which assumes ownership of it.
210 MockAuthLibrary
* auth_library_
;
211 scoped_ptr
<MockHostResolver
> resolver_
;
212 scoped_ptr
<URLSecurityManager
> url_security_manager_
;
213 scoped_ptr
<HttpAuthHandlerNegotiate::Factory
> factory_
;
216 TEST_F(HttpAuthHandlerNegotiateTest
, DisableCname
) {
217 SetupMocks(AuthLibrary());
218 scoped_ptr
<HttpAuthHandlerNegotiate
> auth_handler
;
219 EXPECT_EQ(OK
, CreateHandler(
220 true, false, true, "http://alias:500", &auth_handler
));
222 ASSERT_TRUE(auth_handler
.get() != NULL
);
223 TestCompletionCallback callback
;
224 HttpRequestInfo request_info
;
226 EXPECT_EQ(OK
, auth_handler
->GenerateAuthToken(NULL
, &request_info
,
227 callback
.callback(), &token
));
229 EXPECT_EQ("HTTP/alias", auth_handler
->spn());
230 #elif defined(OS_POSIX)
231 EXPECT_EQ("HTTP@alias", auth_handler
->spn());
235 TEST_F(HttpAuthHandlerNegotiateTest
, DisableCnameStandardPort
) {
236 SetupMocks(AuthLibrary());
237 scoped_ptr
<HttpAuthHandlerNegotiate
> auth_handler
;
238 EXPECT_EQ(OK
, CreateHandler(
239 true, true, true, "http://alias:80", &auth_handler
));
240 ASSERT_TRUE(auth_handler
.get() != NULL
);
241 TestCompletionCallback callback
;
242 HttpRequestInfo request_info
;
244 EXPECT_EQ(OK
, auth_handler
->GenerateAuthToken(NULL
, &request_info
,
245 callback
.callback(), &token
));
247 EXPECT_EQ("HTTP/alias", auth_handler
->spn());
248 #elif defined(OS_POSIX)
249 EXPECT_EQ("HTTP@alias", auth_handler
->spn());
253 TEST_F(HttpAuthHandlerNegotiateTest
, DisableCnameNonstandardPort
) {
254 SetupMocks(AuthLibrary());
255 scoped_ptr
<HttpAuthHandlerNegotiate
> auth_handler
;
256 EXPECT_EQ(OK
, CreateHandler(
257 true, true, true, "http://alias:500", &auth_handler
));
258 ASSERT_TRUE(auth_handler
.get() != NULL
);
259 TestCompletionCallback callback
;
260 HttpRequestInfo request_info
;
262 EXPECT_EQ(OK
, auth_handler
->GenerateAuthToken(NULL
, &request_info
,
263 callback
.callback(), &token
));
265 EXPECT_EQ("HTTP/alias:500", auth_handler
->spn());
266 #elif defined(OS_POSIX)
267 EXPECT_EQ("HTTP@alias:500", auth_handler
->spn());
271 TEST_F(HttpAuthHandlerNegotiateTest
, CnameSync
) {
272 SetupMocks(AuthLibrary());
273 scoped_ptr
<HttpAuthHandlerNegotiate
> auth_handler
;
274 EXPECT_EQ(OK
, CreateHandler(
275 false, false, true, "http://alias:500", &auth_handler
));
276 ASSERT_TRUE(auth_handler
.get() != NULL
);
277 TestCompletionCallback callback
;
278 HttpRequestInfo request_info
;
280 EXPECT_EQ(OK
, auth_handler
->GenerateAuthToken(NULL
, &request_info
,
281 callback
.callback(), &token
));
283 EXPECT_EQ("HTTP/canonical.example.com", auth_handler
->spn());
284 #elif defined(OS_POSIX)
285 EXPECT_EQ("HTTP@canonical.example.com", auth_handler
->spn());
289 TEST_F(HttpAuthHandlerNegotiateTest
, CnameAsync
) {
290 SetupMocks(AuthLibrary());
291 scoped_ptr
<HttpAuthHandlerNegotiate
> auth_handler
;
292 EXPECT_EQ(OK
, CreateHandler(
293 false, false, false, "http://alias:500", &auth_handler
));
294 ASSERT_TRUE(auth_handler
.get() != NULL
);
295 TestCompletionCallback callback
;
296 HttpRequestInfo request_info
;
298 EXPECT_EQ(ERR_IO_PENDING
, auth_handler
->GenerateAuthToken(
299 NULL
, &request_info
, callback
.callback(), &token
));
300 EXPECT_EQ(OK
, callback
.WaitForResult());
302 EXPECT_EQ("HTTP/canonical.example.com", auth_handler
->spn());
303 #elif defined(OS_POSIX)
304 EXPECT_EQ("HTTP@canonical.example.com", auth_handler
->spn());
308 #if defined(OS_POSIX)
310 // This test is only for GSSAPI, as we can't use explicit credentials with
312 TEST_F(HttpAuthHandlerNegotiateTest
, ServerNotInKerberosDatabase
) {
313 SetupErrorMocks(AuthLibrary(), GSS_S_FAILURE
, 0x96C73A07); // No server
314 scoped_ptr
<HttpAuthHandlerNegotiate
> auth_handler
;
315 EXPECT_EQ(OK
, CreateHandler(
316 false, false, false, "http://alias:500", &auth_handler
));
317 ASSERT_TRUE(auth_handler
.get() != NULL
);
318 TestCompletionCallback callback
;
319 HttpRequestInfo request_info
;
321 EXPECT_EQ(ERR_IO_PENDING
, auth_handler
->GenerateAuthToken(
322 NULL
, &request_info
, callback
.callback(), &token
));
323 EXPECT_EQ(ERR_MISSING_AUTH_CREDENTIALS
, callback
.WaitForResult());
326 // This test is only for GSSAPI, as we can't use explicit credentials with
328 TEST_F(HttpAuthHandlerNegotiateTest
, NoKerberosCredentials
) {
329 SetupErrorMocks(AuthLibrary(), GSS_S_FAILURE
, 0x96C73AC3); // No credentials
330 scoped_ptr
<HttpAuthHandlerNegotiate
> auth_handler
;
331 EXPECT_EQ(OK
, CreateHandler(
332 false, false, false, "http://alias:500", &auth_handler
));
333 ASSERT_TRUE(auth_handler
.get() != NULL
);
334 TestCompletionCallback callback
;
335 HttpRequestInfo request_info
;
337 EXPECT_EQ(ERR_IO_PENDING
, auth_handler
->GenerateAuthToken(
338 NULL
, &request_info
, callback
.callback(), &token
));
339 EXPECT_EQ(ERR_MISSING_AUTH_CREDENTIALS
, callback
.WaitForResult());
342 #if defined(DLOPEN_KERBEROS)
343 TEST_F(HttpAuthHandlerNegotiateTest
, MissingGSSAPI
) {
344 scoped_ptr
<HostResolver
> host_resolver(new MockHostResolver());
345 MockAllowURLSecurityManager url_security_manager
;
346 scoped_ptr
<HttpAuthHandlerNegotiate::Factory
> negotiate_factory(
347 new HttpAuthHandlerNegotiate::Factory());
348 negotiate_factory
->set_host_resolver(host_resolver
.get());
349 negotiate_factory
->set_url_security_manager(&url_security_manager
);
350 negotiate_factory
->set_library(
351 new GSSAPISharedLibrary("/this/library/does/not/exist"));
353 GURL
gurl("http://www.example.com");
354 scoped_ptr
<HttpAuthHandler
> generic_handler
;
355 int rv
= negotiate_factory
->CreateAuthHandlerFromString(
357 HttpAuth::AUTH_SERVER
,
361 EXPECT_EQ(ERR_UNSUPPORTED_AUTH_SCHEME
, rv
);
362 EXPECT_TRUE(generic_handler
.get() == NULL
);
364 #endif // defined(DLOPEN_KERBEROS)
366 #endif // defined(OS_POSIX)