pax_global_header00006660000000000000000000000064122672224010014510gustar00rootroot0000000000000052 comment=49b419c11f508bff31fb86acddb5e98204d95c2e HTTPauth-0.2.1/000077500000000000000000000000001226722240100131515ustar00rootroot00000000000000HTTPauth-0.2.1/.gitignore000066400000000000000000000000151226722240100151350ustar00rootroot00000000000000Gemfile.lock HTTPauth-0.2.1/Gemfile000066400000000000000000000000631226722240100144430ustar00rootroot00000000000000source 'https://rubygems.org' gem 'rake' gemspec HTTPauth-0.2.1/LICENSE000066400000000000000000000021631226722240100141600ustar00rootroot00000000000000Copyright (C) 2006-2011 Manfred Stienstra , Fingertips, Tim Olsen Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. HTTPauth-0.2.1/README.md000066400000000000000000000034561226722240100144400ustar00rootroot00000000000000HTTPauth ====== HTTPauth is a library supporting the full HTTP Authentication protocol as specified in RFC 2617; both Digest Authentication and Basic Authentication. We aim to make HTTPAuth as compliant as possible. HTTPAuth is built to be completely agnostic of the HTTP implementation. If you have access to your webserver's headers you can use this library to implement authentication. This project is currently under development, don't use it in mission critical applications. ## Getting started If you want to implement authentication for your application you should probably start by looking at the various examples. In the examples directory is an implementation of an HTTP client and server, you can use these to test your implementation. The examples are basic implementations of the protocol. ## Limitations Currently the library doesn't check for consistency of the directives in the various headers, this means that implementations using this library can be vulnerable to request replay attacks. This will obviously be addressed before the final release. ## Plugins ### Ruby on Rails A plugin for Ruby on Rails can be found here: https://fngtps.com/svn/rails-plugins/trunk/digest_authentication ## Known client implementation issues ### Safari Safari doesn't understand and parse the algorithm and qop directives correctly. For instance: it sends qop=auth as qop="auth" and when multiple qop values are suggested by the server, no authentication is triggered. ### Internet Explorer The qop and algorithm bug quoting bugs are also present in IE. IE doesn't use the full URI for digest calculation, it chops off the query parameters. So a request on /script?q=a will response with uri='/script'. ## Known server implementation issues Apache 2.0 sends Authorization-Info headers without a nextnonce directive. HTTPauth-0.2.1/Rakefile000066400000000000000000000003421226722240100146150ustar00rootroot00000000000000require 'bundler' Bundler::GemHelper.install_tasks require 'rake/testtask' Rake::TestTask.new do |t| t.test_files = FileList['test/*_test.rb'] t.verbose = true end desc 'Run all tests by default' task :default => :test HTTPauth-0.2.1/TODO000066400000000000000000000005171226722240100136440ustar00rootroot00000000000000* response_digest_a2 needs to be tested. * An Authentication-Info#validate may need to be added as well. * Work around IE query parameters bug * Strict directives checking * AuthorizationInfo should only return rspauth and nonce and the like if :qop == 'auth-int' * Expire nonce * Address security considerations * Support for proxies HTTPauth-0.2.1/examples/000077500000000000000000000000001226722240100147675ustar00rootroot00000000000000HTTPauth-0.2.1/examples/client_digest_secure000077500000000000000000000067451226722240100211140ustar00rootroot00000000000000#!/usr/bin/env ruby $LOAD_PATH.unshift File.expand_path(File.dirname(__FILE__) + '/../lib') require 'rubygems' rescue LoadError require 'uri' require 'rfuzz/client' require 'httpauth/digest' SALT = 'My very very secret salt' class AuthenticationCache def initialize @uri = nil @credentials = nil end def set_credentials_for(uri, credentials) @uri = get_new_uri(@uri, uri) @credentials = credentials end def get_credentials @credentials end def update_usage_for(uri, reset_count_for_uri = false) if reset_count_for_uri @credentials.nc = 0 else @credentials.nc += 1 end end protected # Is uri1 more general than uri2 def more_general_uri?(uri1, uri2) ua1 = uri1.nil? ? [] : uri1.split('/') ua2 = uri2.nil? ? [] : uri2.split('/') ua1.each_with_index do |p, i| return false unless ua2[i] == p end true end def get_new_uri(uri1, uri2) if more_general_uri?(uri1, uri2) uri1 else uri2 end end end class AuthenticatedClient include HTTPAuth::Digest def initialize(host, port) @client = RFuzz::HttpClient.new host, port @cache = AuthenticationCache.new @username = nil @password = nil end def get_credentials_from_user if @username.nil? print 'Username: ' @username = $stdin.gets.strip end if @password.nil? print 'Password: ' @password = $stdin.gets.strip end [@username, @password] end # Get a resource from the server def get(resource) uri = URI.parse resource # If credentials were stored, use them. Otherwise do a normal get credentials = @cache.get_credentials if credentials.nil? response = @client.get resource else puts "sending credentials: #{credentials.to_header}" response = @client.get resource, :head => {'Authorization' => credentials.to_header} end # If response was 401, retry with authentication if response.http_status == '401' && !response['WWW_AUTHENTICATE'].nil? puts "got challenge: #{response['WWW_AUTHENTICATE']}" challenge = Challenge.from_header(response['WWW_AUTHENTICATE']) (stale = challenge.stale) rescue NoMethodError if stale username = credentials.username password = credentials.password else username, password = get_credentials_from_user end credentials = Credentials.from_challenge(challenge, :uri => resource, :username => username, :password => password, :method => 'GET' ) puts "sending credentials: #{credentials.to_header}" @cache.set_credentials_for uri.path, credentials response = @client.get resource, :head => {'Authorization' => credentials.to_header} end # If the server sends authentication info use the information for the next request if response['AUTHENTICATION_INFO'] puts "got authentication-info: #{response['AUTHENTICATION_INFO']}" auth_info = AuthenticationInfo.from_header(response['AUTHENTICATION_INFO']) @cache.update_usage_for uri.path, auth_info.h[:nextnonce] else @cache.update_usage_for uri.path end response end end if $PROGRAM_NAME == __FILE__ unless ARGV.length == 2 puts <<-EOT Usage: client_digest_secure get EOT exit 0 end uri = URI.parse ARGV[1] client = AuthenticatedClient.new uri.host, uri.port response = client.send ARGV[0].intern, uri.query ? "#{uri.path}&#{uri.query}" : uri.path puts response.http_body end HTTPauth-0.2.1/examples/server_digest_secure000077500000000000000000000034531226722240100211350ustar00rootroot00000000000000#!/usr/bin/env ruby $LOAD_PATH.unshift File.expand_path(File.dirname(__FILE__) + '/../lib') require 'webrick' require 'httpauth/digest' require 'yaml' include WEBrick s = HTTPServer.new :Port => 2000, :AccessLog => [[File.open('/dev/null', 'w'), AccessLog::COMMON_LOG_FORMAT], [File.open('/dev/null', 'w'), AccessLog::REFERER_LOG_FORMAT]] class AuthenticationServlet < HTTPServlet::AbstractServlet include HTTPAuth::Digest def do_GET(request, response) puts '-' * 79 puts 'request: Authorization: ' + (request['Authorization'] || '') credentials = Credentials.from_header(request['Authorization']) unless request['Authorization'].nil? if !credentials.nil? && credentials.validate(:password => 'secret', :method => 'GET') response.status = 200 auth_info = AuthenticationInfo.from_credentials credentials response['Authentication-Info'] = auth_info.to_header response['Content-Type'] = 'text/plain; charset=utf-8' response.body = 'You are authorized' puts 'response: Authentication-Info: ' + response['Authentication-Info'] else if credentials puts '[!] FAILED: ' + credentials.reason else puts '[!] FAILED: No credentials specified' end response.status = 401 challenge = Challenge.new :realm => 'admin@httpauth.example.com', :qop => ['auth'] response['WWW-Authenticate'] = challenge.to_header response['Content-Type'] = 'text/plain; charset=utf-8' response.body = 'You are not authorized' puts 'response: WWW-Authenticate: ' + response['WWW-Authenticate'] end end end puts "\n>>> Open http://localhost:2000/ and login with password 'secret', any username should work\n\n" s.mount '/', AuthenticationServlet trap('INT') { s.shutdown } s.start HTTPauth-0.2.1/httpauth.gemspec000066400000000000000000000013371226722240100163630ustar00rootroot00000000000000Gem::Specification.new do |spec| spec.name = 'httpauth' spec.version = '0.2.1' spec.author = 'Manfred Stienstra' spec.email = 'manfred@fngtpspec.com' spec.homepage = 'https://github.com/Manfred/HTTPauth' spec.summary = 'HTTPauth is a library supporting the full HTTP Authentication protocol as specified in RFC 2617; both Digest Authentication and Basic Authentication.' spec.description = 'Library for the HTTP Authentication protocol (RFC 2617)' spec.files = %w(README.md LICENSE) + Dir.glob('lib/**/*') spec.add_development_dependency 'bundler', '~> 1.0' spec.has_rdoc = true spec.extra_rdoc_files = ['README.md', 'LICENSE'] spec.license = 'MIT' spec.rdoc_options << '--charset=utf-8' end HTTPauth-0.2.1/lib/000077500000000000000000000000001226722240100137175ustar00rootroot00000000000000HTTPauth-0.2.1/lib/httpauth.rb000066400000000000000000000001561226722240100161070ustar00rootroot00000000000000require 'httpauth/constants' require 'httpauth/exceptions' require 'httpauth/basic' require 'httpauth/digest' HTTPauth-0.2.1/lib/httpauth/000077500000000000000000000000001226722240100155605ustar00rootroot00000000000000HTTPauth-0.2.1/lib/httpauth/basic.rb000066400000000000000000000114701226722240100171710ustar00rootroot00000000000000%w(base64 httpauth/exceptions httpauth/constants).each { |l| require l } module HTTPAuth # = Basic # # The Basic class provides a number of methods to handle HTTP Basic Authentication. In Basic Authentication # the server sends a challenge and the client has to respond to that with the correct credentials. These # credentials will have to be sent with every request from that point on. # # == On the server # # On the server you will have to check the headers for the 'Authorization' header. When you find one unpack # it and check it against your database of credentials. If the credentials are wrong you have to return a # 401 status message and a challenge, otherwise proceed as normal. The code is meant as an example, not as # runnable code. # # def check_authentication(request, response) # credentials = HTTPAuth::Basic.unpack_authorization(request['Authorization']) # if ['admin', 'secret'] == credentials # response.status = 200 # return true # else # response.status = 401 # response['WWW-Authenticate'] = HTTPAuth::Basic.pack_challenge('Admin Pages') # return false # end # end # # == On the client # # On the client you have to detect the WWW-Authenticate header sent from the server. Once you find one you _should_ # send credentials for that resource any resource 'deeper in the URL space'. You _may_ send the credentials for # every request without a WWW-Authenticate challenge. Note that credentials are valid for a realm, a server can # use multiple realms for different resources. The code is meant as an example, not as runnable code. # # def get_credentials_from_user_for(realm) # if realm == 'Admin Pages' # return ['admin', 'secret'] # else # return [nil, nil] # end # end # # def handle_authentication(response, request) # unless response['WWW-Authenticate'].nil? # realm = HTTPAuth::Basic.unpack_challenge(response['WWW-Authenticate]) # @credentials[realm] ||= get_credentials_from_user_for(realm) # @last_realm = realm # end # unless @last_realm.nil? # request['Authorization'] = HTTPAuth::Basic.pack_authorization(*@credentials[@last_realm]) # end # end class Basic class << self # Unpacks the HTTP Basic 'Authorization' credential header # # * authorization: The contents of the Authorization header # * Returns a list with two items: the username and password def unpack_authorization(authorization) d = authorization.split ' ' fail(ArgumentError, 'HTTPAuth::Basic can only unpack Basic Authentication headers') unless d[0] == 'Basic' Base64.decode64(d[1]).split(':')[0..1] end # Packs HTTP Basic credentials to an 'Authorization' header # # * username: A string with the username # * password: A string with the password def pack_authorization(username, password) format('Basic %s', Base64.encode64("#{username}:#{password}").gsub("\n", '')) end # Returns contents for the WWW-authenticate header # # * realm: A string with a recognizable title for the restricted resource def pack_challenge(realm) format("Basic realm=\"%s\"", realm.gsub('"', '')) end # Returns the name of the realm in a WWW-Authenticate header # # * authenticate: The contents of the WWW-Authenticate header def unpack_challenge(authenticate) if authenticate =~ /Basic\srealm=\"([^\"]*)\"/ return Regexp.last_match[1] else if authenticate =~ /^Basic/ fail(UnwellformedHeader, "Can't parse the WWW-Authenticate header, it's probably not well formed") else fail(ArgumentError, 'HTTPAuth::Basic can only unpack Basic Authentication headers') end end end # Finds and unpacks the authorization credentials in a hash with the CGI enviroment. Returns [nil,nil] if no # credentials were found. See HTTPAuth::CREDENTIAL_HEADERS for supported variable names. # # _Note for Apache_: normally the Authorization header can be found in the HTTP_AUTHORIZATION env variable, # but Apache's mod_auth removes the variable from the enviroment. You can work around this by renaming # the variable in your apache configuration (or .htaccess if allowed). For example: rewrite the variable # for every request on /admin/*. # # RewriteEngine on # RewriteRule ^admin/ - [E=X-HTTP-AUTHORIZATION:%{HTTP:Authorization}] def get_credentials(env) d = HTTPAuth::CREDENTIAL_HEADERS.inject(false) { |a, e| env[e] || a } return unpack_authorization(d) unless !d || d.nil? || d.empty? [nil, nil] end end end end HTTPauth-0.2.1/lib/httpauth/constants.rb000066400000000000000000000011411226722240100201160ustar00rootroot00000000000000# HTTPAuth holds a number of classes and constants to implement HTTP Authentication with. See Basic or Digest for # details on how to implement authentication using this library. # # For more information see RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt) module HTTPAuth VERSION = '0.2' CREDENTIAL_HEADERS = %w{REDIRECT_X_HTTP_AUTHORIZATION X-HTTP-AUTHORIZATION X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION} SUPPORTED_SCHEMES = {:basic => 'Basic', :digest => 'Digest'} SUPPORTED_QOPS = %w[auth auth-int] SUPPORTED_ALGORITHMS = %w[MD5 MD5-sess] PREFERRED_QOP = 'auth' PREFERRED_ALGORITHM = 'MD5' end HTTPauth-0.2.1/lib/httpauth/digest.rb000066400000000000000000000627261226722240100174010ustar00rootroot00000000000000%w(tmpdir digest/md5 base64 httpauth/exceptions httpauth/constants).each { |l| require l } module HTTPAuth # = Digest # # The Digest class provides a number of methods to handle HTTP Digest Authentication. Generally the server # sends a challenge to the client a resource that needs authorization and the client tries to respond with # the correct credentials. Digest authentication rapidly becomes more complicated after that, if you want to # build an implementation I suggest you at least skim RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt). # # == Examples # # Digest authentication examples are too large to include in source documentation. Please consult the examples # directory for client and server implementations. # # The classes and code of the library are set up to be as transparent as possible so integrating the library # with any implementation talking HTTP, either trough CGI or directly should be possible. # # == The 'Digest' # # In Digest authentication the client's credentials are never sent in plain text over HTTP. You don't even have # to store the passwords in plain text on the server to authenticate clients. The library doesn't force you to # use the digest mechanism, it also works by specifying the username, password and realm. If you do decided to # use digests you can generate them in the following way: # # H(username + ':' + realm + ':' + password) # # Where H returns the MD5 hexdigest of the string. The Utils class defines a method to calculate the digest. # # HTTPAuth::Digest::Utils.htdigest(username, realm, password) # # The format of this digest is the same in most implementations. Apache's htdigest tool for instance # stores the digests in a textfile like this: # # username:realm:digest # # == Security # # Digest authentication is quite a bit more secure than Basic authentication, but it isn't as secure as SSL. # The biggest difference between Basic and Digest authentication is that Digest authentication doesn't send # clear text passwords, but only an MD5 digest. Recent developments in password cracking and mathematics have # found several ways to create collisions with MD5 hashes and it's not infinitely secure. However, it currently # still takes a lot of computing power to crack MD5 digests. Checking for brute force attacks in your applications # and routinely changing the user credentials and maybe even the realm makes it a lot harder for a cracker to # abuse your application. module Digest # Utils contains all sort of conveniance methods for the header container classes. Implementations shouldn't have # to call any methods on Utils. class Utils class << self # Encodes a hash with digest directives to send in a header. # # * h: The directives specified in a hash # * variant: Specifies whether the directives are for an Authorize header (:credentials), # for a WWW-Authenticate header (:challenge) or for a Authentication-Info header (:auth_info). def encode_directives(h, variant) encode = {:domain => :list_to_space_quoted_string, :algorithm => false, :stale => :bool_to_str, :nc => :int_to_hex} if [:credentials, :auth].include? variant encode.merge! :qop => false elsif variant == :challenge encode.merge! :qop => :list_to_comma_quoted_string else fail(ArgumentError, "#{variant} is not a valid value for `variant' use :auth, :credentials or :challenge") end (variant == :auth ? '' : 'Digest ') + h.collect do |directive, value| '' << directive.to_s << '=' << if encode[directive] begin Conversions.send encode[directive], value rescue NoMethodError, ArgumentError raise(ArgumentError, "Can't encode #{directive}(#{value.inspect}) with #{encode[directive]}") end elsif encode[directive].nil? begin Conversions.quote_string value rescue NoMethodError, ArgumentError raise(ArgumentError, "Can't encode #{directive}(#{value.inspect}) with quote_string") end else value end end.join(', ') end # Decodes digest directives from a header. Returns a hash with directives. # # * directives: The directives # * variant: Specifies whether the directives are for an Authorize header (:credentials), # for a WWW-Authenticate header (:challenge) or for a Authentication-Info header (:auth_info). def decode_directives(directives, variant) fail(HTTPAuth::UnwellformedHeader, "Can't decode directives which are nil") if directives.nil? decode = {:domain => :space_quoted_string_to_list, :algorithm => false, :stale => :str_to_bool, :nc => :hex_to_int} if [:credentials, :auth].include? variant decode.merge! :qop => false elsif variant == :challenge decode.merge! :qop => :comma_quoted_string_to_list else fail(ArgumentError, "#{variant} is not a valid value for `variant' use :auth, :credentials or :challenge") end start = 0 unless variant == :auth # The first six characters are 'Digest ' start = 6 scheme = directives[0..6].strip fail(HTTPAuth::UnwellformedHeader, "Scheme should be Digest, server responded with `#{directives}'") unless scheme == 'Digest' end # The rest are the directives # TODO: split is ugly, I want a real parser (: directives[start..-1].split(',').inject({}) do |h, part| parts = part.split('=') name = parts[0].strip.intern value = parts[1..-1].join('=').strip # --- HACK # IE and Safari qoute qop values # IE also quotes algorithm values if variant != :challenge && [:qop, :algorithm].include?(name) && value =~ /^\"[^\"]+\"$/ value = Conversions.unquote_string(value) end # --- END HACK if decode[name] h[name] = Conversions.send decode[name], value elsif decode[name].nil? h[name] = Conversions.unquote_string value else h[name] = value end h end end # Concat arguments the way it's done frequently in the Digest spec. # # digest_concat('a', 'b') #=> "a:b" # digest_concat('a', 'b', c') #=> "a:b:c" def digest_concat(*args) args.join ':' end # Calculate the MD5 hexdigest for the string data def digest_h(data) ::Digest::MD5.hexdigest data end # Calculate the KD value of a secret and data as explained in the RFC. def digest_kd(secret, data) digest_h digest_concat(secret, data) end # Calculate the Digest for the credentials def htdigest(username, realm, password) digest_h digest_concat(username, realm, password) end # Calculate the H(A1) as explain in the RFC. If h[:digest] is set, it's used instead # of calculating H(username ":" realm ":" password). def digest_a1(h, s) # TODO: check for known algorithm values (look out for the IE algorithm quote bug) if h[:algorithm] == 'MD5-sess' digest_h digest_concat( h[:digest] || htdigest(h[:username], h[:realm], h[:password]), h[:nonce], h[:cnonce] ) else h[:digest] || htdigest(h[:username], h[:realm], h[:password]) end end # Calculate the H(A2) for the Authorize header as explained in the RFC. def request_digest_a2(h) # TODO: check for known qop values (look out for the safari qop quote bug) if h[:qop] == 'auth-int' digest_h digest_concat(h[:method], h[:uri], digest_h(h[:request_body])) else digest_h digest_concat(h[:method], h[:uri]) end end # Calculate the H(A2) for the Authentication-Info header as explained in the RFC. def response_digest_a2(h) if h[:qop] == 'auth-int' digest_h ':' + digest_concat(h[:uri], digest_h(h[:response_body])) else digest_h ':' + h[:uri] end end # Calculate the digest value for the directives as explained in the RFC. # # * variant: Either :request or :response, as seen from the server. def calculate_digest(h, s, variant) fail(ArgumentError, "Variant should be either :request or :response, not #{variant}") unless [:request, :response].include?(variant) # Compatability with RFC 2069 if h[:qop].nil? digest_kd digest_a1(h, s), digest_concat( h[:nonce], send("#{variant}_digest_a2".intern, h) ) else digest_kd digest_a1(h, s), digest_concat( h[:nonce], Conversions.int_to_hex(h[:nc]), h[:cnonce], h[:qop], send("#{variant}_digest_a2".intern, h) ) end end # Return a hash with the keys in keys found in h. # # Example # # filter_h_on({1=>1,2=>2}, [1]) #=> {1=>1} # filter_h_on({1=>1,2=>2}, [1, 2]) #=> {1=>1,2=>2} def filter_h_on(h, keys) h.inject({}) { |a, e| keys.include?(e[0]) ? a.merge(e[0] => e[1]) : a } end # Create a nonce value of the time and a salt. The nonce is created in such a # way that the issuer can check the age of the nonce. # # * salt: A reasonably long passphrase known only to the issuer. def create_nonce(salt) now = Time.now time = now.strftime('%Y-%m-%d %H:%M:%S').to_s + ':' + now.usec.to_s Base64.encode64( digest_concat( time, digest_h(digest_concat(time, salt)) ) ).gsub("\n", '')[0..-3] end # Create a 32 character long opaque string with a 'random' value def create_opaque s = [] 16.times { s << rand(127).chr } digest_h s.join end end end # Superclass for all the header container classes class AbstractHeader # holds directives and values for digest calculation attr_reader :h # Redirects attribute messages to the internal directives # # Example: # # class Credentials < AbstractHeader # def initialize # @h = { :username => 'Ben' } # end # end # # c = Credentials.new # c.username #=> 'Ben' # c.username = 'Mary' # c.username #=> 'Mary' def method_missing(m, *a) if ((m.to_s =~ /^(.*)=$/) == 0) && @h.keys.include?(Regexp.last_match[1].intern) @h[Regexp.last_match[1].intern] = a[0] elsif @h.keys.include? m @h[m] else fail(NameError, "undefined method `#{m}' for #{self}") end end end # The Credentials class handlers the Authorize header. The Authorize header is sent by a client who wants to # let the server know he has the credentials needed to access a resource. # # See the Digest module for examples class Credentials < AbstractHeader # Holds an explanation why validate returned false. attr_reader :reason # Parses the information from an Authorize header and creates a new Credentials instance with the information. # The options hash allows you to specify additional information. # # * authorization: The contents of the Authorize header # See initialize for valid options. def self.from_header(authorization, options = {}) new Utils.decode_directives(authorization, :credentials), options end # Creates a new Credential instance based on a Challenge instance. # # * challenge: A Challenge instance # See initialize for valid options. def self.from_challenge(challenge, options = {}) credentials = new challenge.h credentials.update_from_challenge! options credentials end def self.load(filename, options = {}) h = nil File.open(filename, 'r') do |f| h = Marshal.load f end new h, options end # Create a new instance. # # * h: A Hash with directives, normally this is filled with the directives coming from a Challenge instance. # * options: Used to set or override data from the Authorize header and add additional parameters. # * :username: Mostly set by a client to send the username # * :password: Mostly set by a client to send the password, set either this or the digest # * :digest: Mostly set by a client to send a digest, set either this or the digest. For more # information about digests see Digest. # * :uri: Mostly set by the client to send the uri # * :method: The HTTP Method used by the client to send the request, this should be an uppercase string # with the name of the verb. def initialize(h, options = {}) @h = h @h.merge! options session = Session.new h[:opaque], :tmpdir => options[:tmpdir] @s = session.load @reason = 'There has been no validation yet' end # Convenience method, basically an alias for validate(options.merge(:password => password)) def validate_password(password, options = {}) options[:password] = password validate(options) end # Convenience method, basically an alias for validate(options.merge(:digest => digest)) def validate_digest(digest, options = {}) options[:digest] = digest validate(options) end # Validates the credential information stored in the Credentials instance. Returns true or # false. You can read the ue # # * options: The extra options needed to validate the credentials. A server implementation should # provide the :method and a :password or :digest. # * :method: The HTTP Verb in uppercase, ie. GET or POST. # * :password: The password for the sent username and realm, either a password or digest should be # provided. # * :digest: The digest for the specified username and realm, either a digest or password should be # provided. def validate(options) ho = @h.merge(options) fail(ArgumentError, "You have to set the :request_body value if you want to use :qop => 'auth-int'") if @h[:qop] == 'auth-int' && ho[:request_body].nil? fail(ArgumentError, 'Please specify the request method :method (ie. GET)') if ho[:method].nil? calculated_response = Utils.calculate_digest(ho, @s, :request) if ho[:response] == calculated_response @reason = '' return true else @reason = "Response isn't the same as computed response #{ho[:response]} != #{calculated_response} for #{ho.inspect}" end false end # Encodeds directives and returns a string that can be used in the Authorize header def to_header Utils.encode_directives Utils.filter_h_on(@h, [:username, :realm, :nonce, :uri, :response, :algorithm, :cnonce, :opaque, :qop, :nc]), :credentials end # Updates @h from options, generally called after an instance was created with from_challenge. def update_from_challenge!(options) # TODO: integrity checks @h[:username] = options[:username] @h[:password] = options[:password] @h[:digest] = options[:digest] @h[:uri] = options[:uri] @h[:method] = options[:method] @h[:request_body] = options[:request_body] unless @h[:qop].nil? # Determine the QOP if !options[:qop].nil? && @h[:qop].include?(options[:qop]) @h[:qop] = options[:qop] elsif @h[:qop].include?(HTTPAuth::PREFERRED_QOP) @h[:qop] = HTTPAuth::PREFERRED_QOP else qop = @h[:qop].detect { |qop_field| HTTPAuth::SUPPORTED_QOPS.include? qop_field } if qop.nil? fail(UnsupportedError, "HTTPAuth doesn't support any of the proposed qop values: #{@h[:qop].inspect}") else @h[:qop] = qop end end @h[:cnonce] ||= Utils.create_nonce options[:salt] @h[:nc] ||= 1 unless @h[:qop].nil? end @h[:response] = Utils.calculate_digest(@h, @s, :request) end def dump_sans_creds(filename) File.open(filename, 'w') do |f| Marshal.dump(Utils.filter_h_on(@h, [:username, :realm, :nonce, :algorithm, :cnonce, :opaque, :qop, :nc]), f) end end end # The Challenge class handlers the WWW-Authenticate header. The WWW-Authenticate header is sent by a server when # accessing a resource without credentials is prohibided. The header should always be sent together with a 401 # status. # # See the Digest module for examples class Challenge < AbstractHeader # Parses the information from a WWW-Authenticate header and creates a new WWW-Authenticate instance with this # data. # # * challenge: The contents of a WWW-Authenticate header # See initialize for valid options. def self.from_header(challenge, options = {}) new Utils.decode_directives(challenge, :challenge), options end # Create a new instance. # # * h: A Hash with directives, normally this is filled with directives coming from a Challenge instance. # * options: Use to set of override data from the WWW-Authenticate header # * :realm: The name of the realm the client should authenticate for. The RFC suggests to use a string # like 'admin@yourhost.domain.com'. Be sure to use a reasonably long string to avoid brute force attacks. # * :qop: A list with supported qop values. For example: ['auth-int']. This will default # to ['auth']. Although this implementation supports both auth and auth-int, most # implementations don't. Some implementations get confused when they receive anything but 'auth'. For # maximum compatibility you should leave this setting alone. # * :algorithm: The preferred algorithm for calculating the digest. For # example: 'MD5-sess'. This will default to 'MD5'. For # maximum compatibility you should leave this setting alone. # def initialize(h, options = {}) @h = h @h.merge! options end # Encodes directives and returns a string that can be used as the WWW-Authenticate header def to_header @h[:nonce] ||= Utils.create_nonce @h[:salt] @h[:opaque] ||= Utils.create_opaque @h[:algorithm] ||= HTTPAuth::PREFERRED_ALGORITHM @h[:qop] ||= [HTTPAuth::PREFERRED_QOP] Utils.encode_directives Utils.filter_h_on(@h, [:realm, :domain, :nonce, :opaque, :stale, :algorithm, :qop]), :challenge end end # The AuthenticationInfo class handles the Authentication-Info header. Sending Authentication-Info headers will # allow the client to check the integrity of the response, but it isn't compulsory and will get in the way of # pipelined retrieval of resources. # # See the Digest module for examples class AuthenticationInfo < AbstractHeader # Parses the information from a Authentication-Info header and creates a new AuthenticationInfo instance with # this data. # # * auth_info: The contents of the Authentication-Info header # See initialize for valid options. def self.from_header(auth_info, options = {}) new Utils.decode_directives(auth_info, :auth), options end # Creates a new AuthenticationInfo instance based on the information from Credentials instance. # # * credentials: A Credentials instance # See initialize for valid options. def self.from_credentials(credentials, options = {}) auth_info = new credentials.h auth_info.update_from_credentials! options auth_info end # Create a new instance. # # * h: A Hash with directives, normally this is filled with the directives coming from a # Credentials instance. # * options: Used to set or override data from the Authentication-Info header # * :digest: The digest for the specified username and realm. # * :response_body The body of the response that's going to be sent to the client. This is a # compulsory option if the qop directive is 'auth-int'. def initialize(h, options = {}) @h = h @h.merge! options end # Encodes directives and returns a string that can be used as the AuthorizationInfo header def to_header Utils.encode_directives Utils.filter_h_on(@h, [:nextnonce, :qop, :rspauth, :cnonce, :nc]), :auth end # Updates @h from options, generally called after an instance was created with from_credentials. def update_from_credentials!(options) # TODO: update @h after nonce invalidation [:digest, :username, :realm, :password].each do |k| @h[k] = options[k] if options.include? k end @h[:response_body] = options[:response_body] @h[:nextnonce] = Utils.create_nonce @h[:salt] @h[:rspauth] = Utils.calculate_digest(@h, nil, :response) end # Validates rspauth. Returns true or false # # * options: The extra options needed to validate rspauth. # * :digest: The H(a1) digest # * :uri: request uri # * :nonce:nonce def validate(options) ho = @h.merge(options) @h[:rspauth] == Utils.calculate_digest(ho, @s, :response) end end # Conversion for a number of internal data structures to and from directives in the headers. Implementations # shouldn't have to call any methods on Conversions. class Conversions class << self # Adds quotes around the string def quote_string(str) "\"#{str.gsub(/\"/, '')}\"" end # Removes quotes from around a string def unquote_string(str) str =~ /^\"([^\"]*)\"$/ ? Regexp.last_match[1] : str end # Creates an int value from hex values def hex_to_int(str) "0x#{str}".hex end # Creates a hex value in a string from an integer def int_to_hex(i) i.to_s(16).rjust 8, '0' end # Creates a boolean value from a string => true or false def str_to_bool(str) str == 'true' end # Creates a string value from a boolean => 'true' or 'false' def bool_to_str(bool) bool ? 'true' : 'false' end # Creates a quoted string with space separated items from a list def list_to_space_quoted_string(list) quote_string list.join(' ') end # Creates a list from a quoted space separated string of items def space_quoted_string_to_list(string) unquote_string(string).split ' ' end # Creates a quoted string with comma separated items from a list def list_to_comma_quoted_string(list) quote_string list.join(',') end # Create a list from a quoted comma separated string of items def comma_quoted_string_to_list(string) unquote_string(string).split ',' end end end # Session is a file-based session implementation for storing details about the Digest authentication session # between requests. class Session attr_accessor :opaque attr_accessor :options # Initializes the new Session object. # # * opaque - A string to identify the session. This would normally be the opaque sent by the # client, but it could also be an identifier sent through a different mechanism. # * options - Additional options # * :tmpdir A tempory directory for storing the session data. Dir::tmpdir is the default. def initialize(opaque, options = {}) self.opaque = opaque self.options = options end # Associates the new data to the session and removes the old def save(data) File.open(filename, 'w') do |f| f.write Marshal.dump(data) end end # Returns the data from this session def load File.open(filename, 'r') do |f| Marshal.load f.read end rescue Errno::ENOENT {} end protected # The filename from which the session will be saved and read from def filename "#{options[:tmpdir] || Dir.tmpdir}/ruby_digest_cache.#{opaque}" end end end end HTTPauth-0.2.1/lib/httpauth/exceptions.rb000066400000000000000000000007141226722240100202700ustar00rootroot00000000000000module HTTPAuth # Raised when the library finds data that doesn't conform to the standard class UnwellformedHeader < ArgumentError; end # Raised when the library finds data that is not strictly forbidden but doesn't know how to handle. class UnsupportedError < ArgumentError; end # Raise when validation on the request failed, most of the times this means that someone is trying to do replay attacks. class ValidationError < ArgumentError; end end HTTPauth-0.2.1/test/000077500000000000000000000000001226722240100141305ustar00rootroot00000000000000HTTPauth-0.2.1/test/basic_test.rb000066400000000000000000000033511226722240100165770ustar00rootroot00000000000000# encoding: us-ascii $LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib' require 'test/unit' require 'httpauth/basic' require 'httpauth/exceptions' class BasicTest < Test::Unit::TestCase def setup @secret_bob_credentials = 'Basic Ym9iOnNlY3JldA==' @authorizations = { @secret_bob_credentials => %w[bob secret], 'Basic bWFyY8OpbDpnb2Q=' => ["marc\303\251l", 'god'] } @authentications = { "Basic realm=\"Admin\"" => 'Admin', "Basic realm=\"Admin Pages\"" => 'Admin Pages', "Basic realm=\"open=false\"" => 'open=false' } end def test_unpack_authorization @authorizations.each do |packed, unpacked| assert_equal unpacked, HTTPAuth::Basic.unpack_authorization(packed) end end def test_pack_authorization @authorizations.each do |packed, unpacked| assert_equal packed, HTTPAuth::Basic.pack_authorization(*unpacked) end end def test_get_credentials env = {'HTTP_AUTHORIZATION' => @secret_bob_credentials} assert_equal @authorizations[@secret_bob_credentials], HTTPAuth::Basic.get_credentials(env) end def test_pack_challenge @authentications.each do |packed, unpacked| assert_equal packed, HTTPAuth::Basic.pack_challenge(unpacked) end end def test_unpack_challenge @authentications.each do |packed, unpacked| assert_equal unpacked, HTTPAuth::Basic.unpack_challenge(packed) end end def test_invalid_input assert_raise(HTTPAuth::UnwellformedHeader) do HTTPAuth::Basic.unpack_challenge('Basic relm') end assert_raise(ArgumentError) do HTTPAuth::Basic.unpack_challenge('Digest data') end assert_raise(ArgumentError) do HTTPAuth::Basic.unpack_authorization('Digest data') end end end HTTPauth-0.2.1/test/digest_conversions_test.rb000066400000000000000000000035761226722240100214360ustar00rootroot00000000000000$LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib' require 'test/unit' require 'httpauth/digest' class DigestConversionsTest < Test::Unit::TestCase cases = {} cases[:quote_string] = { 'word' => '"word"', 'word word' => '"word word"' } cases[:unquote_string] = cases[:quote_string].invert cases[:int_to_hex] = { 12 => '0000000c', 1 => '00000001', 65_535 => '0000ffff' } cases[:hex_to_int] = cases[:int_to_hex].invert cases[:str_to_bool] = { 'true' => true, 'false' => false } cases[:bool_to_str] = cases[:str_to_bool].invert cases[:space_quoted_string_to_list] = { "\"word word word\"" => %w[word word word], "\"word\"" => ['word'] } cases[:list_to_space_quoted_string] = cases[:space_quoted_string_to_list].invert cases[:comma_quoted_string_to_list] = { "\"word,word,word\"" => %w[word word word], "\"word\"" => ['word'] } cases[:list_to_comma_quoted_string] = cases[:comma_quoted_string_to_list].invert cases.each do |c, expected| define_method "test_#{c}" do expected.each do |from, to| assert_equal to, HTTPAuth::Digest::Conversions.send(c, from) end end end def test_unquote_string_garbage assert_equal 'unknown', HTTPAuth::Digest::Conversions.unquote_string('unknown') assert_equal '', HTTPAuth::Digest::Conversions.unquote_string('') assert_equal '', HTTPAuth::Digest::Conversions.unquote_string('""') end def test_str_to_bool_garbage assert_equal false, HTTPAuth::Digest::Conversions.str_to_bool('unknown') end def test_hex_to_int_garbage assert_equal 0, HTTPAuth::Digest::Conversions.hex_to_int('unknown') end def test_quoted_string_to_list_garbage assert_equal ['unknown'], HTTPAuth::Digest::Conversions.space_quoted_string_to_list('unknown') assert_equal ['unknown'], HTTPAuth::Digest::Conversions.comma_quoted_string_to_list('unknown') end end HTTPauth-0.2.1/test/digest_credentials_test.rb000066400000000000000000000107631226722240100213570ustar00rootroot00000000000000$LOAD_PATH.unshift File.dirname(__FILE__) $LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib' require 'test_helper' require 'httpauth/digest' class DigestCredentialsTest < Test::Unit::TestCase fixtures :credentials def setup remove_tmpdir create_tmpdir end def test_empty_initialization_from_header assert_raise HTTPAuth::UnwellformedHeader do HTTPAuth::Digest::Credentials.from_header nil, :tmpdir => tmpdir end assert_raise HTTPAuth::UnwellformedHeader do HTTPAuth::Digest::Credentials.from_header '', :tmpdir => tmpdir end end def test_initialization_from_header directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_marcel], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert_equal @@credentials[:from_marcel][:username], credentials.username assert_equal @@credentials[:from_marcel][:realm], credentials.realm end def test_validate directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_safari2], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert credentials.validate(:method => 'GET', :password => 'secret') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_safari2], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert credentials.validate(:method => 'GET', :digest => '659ac260760c38dce4d67663b74a71d2') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_safari2], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert !credentials.validate(:method => 'GET', :digest => '659ac260760c38dce4d67663b74') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_thijs], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert !credentials.validate(:method => 'GET', :password => 'secret') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_thijs], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert credentials.validate(:method => 'GET', :password => 'wrong') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_safari], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert !credentials.validate(:method => 'GET', :password => 'wrong') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_safari], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert credentials.validate(:method => 'GET', :password => 'secret') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_mustafa], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert credentials.validate(:method => 'GET', :password => 'Circle Of Life') directives = HTTPAuth::Digest::Utils.encode_directives(@@credentials[:from_safari], :credentials) credentials = HTTPAuth::Digest::Credentials.from_header directives, :tmpdir => tmpdir assert credentials.validate(:method => 'GET', :password => 'secret') end def test_from_blank credentials = HTTPAuth::Digest::Credentials.new :nc => 1, :uri => '/', :opaque => '0cf3b80a175d023ce40e7ad878dd4a2b', :realm => 'Admin pages', :nonce => 'MjAwNi0wOS0wNCAxNDoxNTo1Nzo2MjcyNDA6NDJmZDNjY2NiNzQ3ZjU1MDlhNTIyYTI1MWI1MTkzZm', :algorithm => 'MD5', :username => 'admin', :digest => '659ac260760c38dce4d67663b74a71d2', :method => 'GET', :response => '5e7bbe24dac88a1936edf1a89cae6168', :cnonce => '30b49be53eab919d', :qop => 'auth', :stale => false assert credentials.validate({}) end end HTTPauth-0.2.1/test/digest_scenario_test.rb000066400000000000000000000022271226722240100206610ustar00rootroot00000000000000# encoding: utf-8 $LOAD_PATH.unshift File.dirname(__FILE__) $LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib' require 'test/unit' require 'test_helper' require 'httpauth/digest' class DigestScenarioTest < Test::Unit::TestCase def setup remove_tmpdir create_tmpdir end def test_simple password = 'secret' server_challenge = HTTPAuth::Digest::Challenge.new :realm => 'httpauth@example.com' client_challenge = HTTPAuth::Digest::Challenge.from_header server_challenge.to_header assert_equal server_challenge.h, client_challenge.h client_credentials = HTTPAuth::Digest::Credentials.from_challenge client_challenge, :uri => '/post/12', :username => 'Marcél', :password => password, :method => 'GET' server_credentials = HTTPAuth::Digest::Credentials.from_header client_credentials.to_header assert server_credentials.validate( :password => password, :method => 'GET') server_auth_info = HTTPAuth::Digest::AuthenticationInfo.from_credentials server_credentials HTTPAuth::Digest::AuthenticationInfo.from_header server_auth_info.to_header end end HTTPauth-0.2.1/test/digest_session_test.rb000066400000000000000000000016671226722240100205500ustar00rootroot00000000000000$LOAD_PATH.unshift File.dirname(__FILE__) $LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib' require 'test/unit' require 'digest/md5' require 'test_helper' require 'httpauth/digest' class DigestSessionTest < Test::Unit::TestCase def setup remove_tmpdir create_tmpdir @opaque = Digest::MD5.hexdigest Time.now.to_s end def test_session_create_and_load h = {:username => 'bob', :password => 'secret'} session = HTTPAuth::Digest::Session.new @opaque, :tmpdir => tmpdir session.save h session = HTTPAuth::Digest::Session.new @opaque, :tmpdir => tmpdir assert_equal h, session.load session = HTTPAuth::Digest::Session.new @opaque, :tmpdir => tmpdir assert_equal h, session.load end def test_session_load_without_session session = HTTPAuth::Digest::Session.new @opaque, :tmpdir => tmpdir h = nil assert_nothing_raised do h = session.load end assert_equal({}, h) end end HTTPauth-0.2.1/test/digest_utils_test.rb000066400000000000000000000154741226722240100202260ustar00rootroot00000000000000# encoding: utf-8 $LOAD_PATH.unshift File.dirname(__FILE__) + '/../lib' require 'test/unit' require 'httpauth/digest' require 'base64' class DigestUtilsTest < Test::Unit::TestCase def setup @data = { :credentials => { 'Digest username="marcél", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"' => {:username => 'marcél', :realm => 'testrealm@host.com', :nonce => 'dcd98b7102dd2f0e8b11d0f600bfb0c093', :uri => '/dir/index.html', :qop => 'auth', :nc => 1, :cnonce => '0a4f113b', :response => '6629fae49393a05397450978507c4ef1', :opaque => '5ccc069c403ebaf9f0171e9517f40e41'} }, :challenge => { 'Digest realm="mp@mount.dwerg.net", nonce="QG4LS2UcBAA=b978f6e632f6b9f7a8927ab48e20ef61d967552b", algorithm=MD5, qop="auth"' => {:realm => 'mp@mount.dwerg.net', :nonce => 'QG4LS2UcBAA=b978f6e632f6b9f7a8927ab48e20ef61d967552b', :algorithm => 'MD5', :qop => ['auth']} }, :auth => { 'nextnonce="4b21d1ddd4f814c3e7c26226ffa4ddf33a261982ff915c1154a8"' => {:nextnonce => '4b21d1ddd4f814c3e7c26226ffa4ddf33a261982ff915c1154a8'}, 'nextnonce="5339bdd7a1d4032a4e4cac3733ee59d63da44efe9e1412f15881", qop=auth, cnonce="0a4f113b", nc=00000001' => { :nextnonce => '5339bdd7a1d4032a4e4cac3733ee59d63da44efe9e1412f15881', :qop => 'auth', :cnonce => '0a4f113b', :nc => 1}, 'nextnonce="19c325e2ebf0e938c3c67225aba5f23ad245a522415d6cbb3c16", qop=auth, cnonce="0a4f113b", nc=00000001, rspauth="5ccc069c403ebaf9f0171e9517f40e41"' => { :nextnonce => '19c325e2ebf0e938c3c67225aba5f23ad245a522415d6cbb3c16', :qop => 'auth', :cnonce => '0a4f113b', :nc => 1, :rspauth => '5ccc069c403ebaf9f0171e9517f40e41'} } } end def test_filter_h_on assert_equal({1 => 1, 2 => 2}, HTTPAuth::Digest::Utils.filter_h_on({1 => 1, 2 => 2, 3 => 3}, [1, 2])) assert_equal({1 => 1}, HTTPAuth::Digest::Utils.filter_h_on({1 => 1, 2 => 2}, [1])) assert_equal({2 => 2}, HTTPAuth::Digest::Utils.filter_h_on({1 => 1, 2 => 2}, [2])) assert_equal({}, HTTPAuth::Digest::Utils.filter_h_on({1 => 1, 2 => 2}, [])) assert_equal({}, HTTPAuth::Digest::Utils.filter_h_on({}, [])) end def test_encode_directives @data.each do |k, v| v.each do |encoded, directives| assert_equal encoded.length, HTTPAuth::Digest::Utils.encode_directives(directives, k).length, "In #{k}, in #{encoded}" end end end def test_decode_directives @data.each do |k, v| v.each do |encoded, directives| assert_equal directives, HTTPAuth::Digest::Utils.decode_directives(encoded, k), "In #{k}, in #{encoded}" end end end def test_decode_hacks # Test to see if the IE and Safari directive encode problems are HACKed around directives = HTTPAuth::Digest::Utils.decode_directives("Digest qop=\"auth\", algorithm=\"MD5\"", :credentials) assert_equal 'auth', directives[:qop] assert_equal 'MD5', directives[:algorithm] end def test_encode_decode_mirror @data.each do |k, v| v.each do |_, directives| assert_equal directives, HTTPAuth::Digest::Utils.decode_directives( HTTPAuth::Digest::Utils.encode_directives(directives, k), k), "In #{k}, in #{directives.inspect}" end end end def test_digest_concat assert_equal '', HTTPAuth::Digest::Utils.digest_concat assert_equal 'a', HTTPAuth::Digest::Utils.digest_concat('a') assert_equal 'a:b:c', HTTPAuth::Digest::Utils.digest_concat('a', 'b', 'c') end def test_digest_h assert_raise(TypeError) do HTTPAuth::Digest::Utils.digest_h(nil) end assert_equal 32, HTTPAuth::Digest::Utils.digest_h('a').length end def test_digest_kd assert_equal 32, HTTPAuth::Digest::Utils.digest_kd(nil, nil).length assert_equal 32, HTTPAuth::Digest::Utils.digest_kd(nil, 'b').length assert_equal 32, HTTPAuth::Digest::Utils.digest_kd('a', nil).length assert_equal 32, HTTPAuth::Digest::Utils.digest_kd('a', 'b').length end def test_digest_a1 [ ['742ec081c96652ff7aed5d819ea0061b', {:username => 'marcél', :realm => 'testrealm@host.com', :password => 'secret' }, {}], ['0630c5b7ea77f10dcca9bbcabb574cf9', {:username => 'marcél', :realm => 'testrealm@host.com', :password => 'secret', :nonce => 'dcd98b7102dd2f0e8b11d0f600bfb0c093', :cnonce => '0a4f113b', :algorithm => 'MD5-sess' }, {}], ['18c37cbf78f82ee4fcce3d457d02091a', {:username => 'Mustafa', :realm => 'testrealm@host.com', :password => 'Circle Of Life', :nonce => 'dcd98b7102dd2f0e8b11d0f600bfb0c093', :cnonce => '0a4f113b', :algorithm => 'MD5-sess' }, {}], ['4501c091b0366d76ea3218b6cfdd8097', {}, {:digest => '742ec081c96652ff7aed5d819ea0061b'}], ['52cac169f0b9ffbc38f91a50fdc86097', {:nonce => 'dcd98b7102dd2f0e8b11d0f600bfb0c093', :cnonce => '0a4f113b', :algorithm => 'MD5-sess' }, {:digest => '742ec081c96652ff7aed5d819ea0061b'}] ].each_with_index do |expected, i| assert_equal expected[0], HTTPAuth::Digest::Utils.digest_a1(expected[1], expected[2]), "In #{i}:" end end def test_request_digest_a2 [ ['bfdaff59f040a7a7e2a96fc32841dcf7', {:method => 'GET', :uri => '/posts/1'}], ['7c79b99028e43d5bdb6110a6b579344e', {:method => 'POST', :uri => '/posts/4'}], ['1db0cc6a00afef1763eb73abf5a0b151', {:method => 'TRACE', :uri => '/posts', :request_body => "I'm a request body!"}], ['e73cf9345dfdd81c1c649d5c2eb46566', {:method => 'TRACE', :uri => '/posts', :request_body => "I'm a request body!", :qop => 'auth-int'}] ].each_with_index do |expected, i| assert_equal expected[0], HTTPAuth::Digest::Utils.request_digest_a2(expected[1]), "In #{i}:" end end def test_create_nonce salt = 'My secret salt' assert HTTPAuth::Digest::Utils.create_nonce(salt).length > 32 assert_not_equal HTTPAuth::Digest::Utils.create_nonce(salt), HTTPAuth::Digest::Utils.create_nonce(salt) end def test_create_opaque assert_equal 32, HTTPAuth::Digest::Utils.create_opaque.length assert_not_equal HTTPAuth::Digest::Utils.create_opaque, HTTPAuth::Digest::Utils.create_opaque end end HTTPauth-0.2.1/test/fixtures/000077500000000000000000000000001226722240100160015ustar00rootroot00000000000000HTTPauth-0.2.1/test/fixtures/credentials.yml000066400000000000000000000027631226722240100210310ustar00rootroot00000000000000from_marcel: username: marcél realm: testrealm@host.com nonce: dcd98b7102dd2f0e8b11d0f600bfb0c093 uri: '/dir/index.html' qop: auth nc: 1 cnonce: 0a4f113b response: 6629fae49393a05397450978507c4ef1 opaque: 5ccc069c403ebaf9f0171e9517f40e41 from_mustafa: username: Mufasa realm: testrealm@host.com nonce: dcd98b7102dd2f0e8b11d0f600bfb0c093 uri: '/dir/index.html' qop: auth nc: 1 cnonce: 0a4f113b response: 6629fae49393a05397450978507c4ef1 opaque: 5ccc069c403ebaf9f0171e9517f40e41 from_safari: username: admin realm: admin@httpauth.example.com nonce: MjAwNi0wOC0zMCAxMTowMToxNDoyMDA2LTA4LTMwIDExOjAxOjE0Og uri: '/' response: 822f50ba1fe8968408f7c6f0dac8a18d opaque: b1c3d2d5dabb21ec4a121c0b3d50a485 algorithm: MD5 cnonce: c1326a28ddb6d26244a767fec6effcba nc: 1 qop: auth from_thijs: nonce: MjAwNi0wOS0wMSAxNjoxMToxMDo3MzE3NjQ6ZTQ1ZGEyNmE4YzFmYjVlNjk5NDU3NjdkMWE1ODNlMG algorithm: MD5 username: thijs cnonce: MjAwNi0wOS0wMSAxNjoxMToxMDo3MzY4NjQ6NTM1MTI5NzJlNzZjNzJjNWZiYWI2MmY4NGY5MDllNT response: fc2d4ec7dd1f6e413f94014170d5d4a9 opaque: 849a4f980dc043ca0dba13c00af91de4 realm: admin@httpauth.example.com uri: "/" qop: auth nc: 1 from_safari2: username: admin realm: Admin pages nonce: MjAwNi0wOS0wNCAxMToyOTowMzo5NjQ5MDU6NWIyMGY3M2U4ZDM3NDk2Yjg1ZmQyNjIwNWJiNmZjYW uri: "/" response: 1bdd91ba5a90d2964248a73fa61b3f31 opaque: 0835951dab8acf03b1c65556817133fb algorithm: MD5 cnonce: e1f2ac7ce48d5528a82f290ba2af1820 nc: 1 qop: auth HTTPauth-0.2.1/test/test_helper.rb000066400000000000000000000012631226722240100167750ustar00rootroot00000000000000require 'test/unit' require 'fileutils' require 'yaml' class Test::Unit::TestCase def self.key_to_sym(hash) hash.inject({}) do |h, p| if p[1].kind_of? Hash h[p[0].intern] = key_to_sym p[1] else h[p[0].intern] = p[1] end h end end def self.fixtures(name) dir = File.dirname(__FILE__) + '/fixtures' File.open(dir + '/' + name.to_s + '.yml') do |f| class_variable_set "@@#{name}", key_to_sym(YAML.load(f.read)) end end protected def tmpdir File.expand_path(File.dirname(__FILE__) + '/tmp') end def create_tmpdir FileUtils.mkdir tmpdir end def remove_tmpdir FileUtils.rm_rf [tmpdir] end end