t/t5563-simple-http-auth.sh

   1 #!/bin/sh
   2
   3 test_description='test http auth header and credential helper interop'
   4
   5 . ./test-lib.sh
   6 . "$TEST_DIRECTORY"/lib-httpd.sh
   7
   8 enable_cgipassauth
   9 if ! test_have_prereq CGIPASSAUTH
  10 then
  11         skip_all="no CGIPassAuth support"
  12         test_done
  13 fi
  14 start_httpd
  15
  16 test_expect_success 'setup_credential_helper' '
  17         mkdir "$TRASH_DIRECTORY/bin" &&
  18         PATH=$PATH:"$TRASH_DIRECTORY/bin" &&
  19         export PATH &&
  20
  21         CREDENTIAL_HELPER="$TRASH_DIRECTORY/bin/git-credential-test-helper" &&
  22         write_script "$CREDENTIAL_HELPER" <<-\EOF
  23         cmd=$1
  24         teefile=$cmd-query-temp.cred
  25         catfile=$cmd-reply.cred
  26         sed -n -e "/^$/q" -e "p" >>$teefile
  27         state=$(sed -ne "s/^state\[\]=helper://p" "$teefile")
  28         if test -z "$state"
  29         then
  30                 mv "$teefile" "$cmd-query.cred"
  31         else
  32                 mv "$teefile" "$cmd-query-$state.cred"
  33                 catfile="$cmd-reply-$state.cred"
  34         fi
  35         if test "$cmd" = "get"
  36         then
  37                 cat $catfile
  38         fi
  39         EOF
  40 '
  41
  42 set_credential_reply () {
  43         local suffix="$(test -n "$2" && echo "-$2")"
  44         cat >"$TRASH_DIRECTORY/$1-reply$suffix.cred"
  45 }
  46
  47 expect_credential_query () {
  48         local suffix="$(test -n "$2" && echo "-$2")"
  49         cat >"$TRASH_DIRECTORY/$1-expect$suffix.cred" &&
  50         test_cmp "$TRASH_DIRECTORY/$1-expect$suffix.cred" \
  51                  "$TRASH_DIRECTORY/$1-query$suffix.cred"
  52 }
  53
  54 per_test_cleanup () {
  55         rm -f *.cred &&
  56         rm -f "$HTTPD_ROOT_PATH"/custom-auth.valid \
  57               "$HTTPD_ROOT_PATH"/custom-auth.challenge
  58 }
  59
  60 test_expect_success 'setup repository' '
  61         test_commit foo &&
  62         git init --bare "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
  63         git push --mirror "$HTTPD_DOCUMENT_ROOT_PATH/repo.git"
  64 '
  65
  66 test_expect_success 'access using basic auth' '
  67         test_when_finished "per_test_cleanup" &&
  68
  69         set_credential_reply get <<-EOF &&
  70         username=alice
  71         password=secret-passwd
  72         EOF
  73
  74         # Basic base64(alice:secret-passwd)
  75         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
  76         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
  77         EOF
  78
  79         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
  80         id=1 status=200
  81         id=default response=WWW-Authenticate: Basic realm="example.com"
  82         EOF
  83
  84         test_config_global credential.helper test-helper &&
  85         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
  86
  87         expect_credential_query get <<-EOF &&
  88         capability[]=authtype
  89         capability[]=state
  90         protocol=http
  91         host=$HTTPD_DEST
  92         wwwauth[]=Basic realm="example.com"
  93         EOF
  94
  95         expect_credential_query store <<-EOF
  96         protocol=http
  97         host=$HTTPD_DEST
  98         username=alice
  99         password=secret-passwd
 100         EOF
 101 '
 102
 103 test_expect_success 'access using basic auth via authtype' '
 104         test_when_finished "per_test_cleanup" &&
 105
 106         set_credential_reply get <<-EOF &&
 107         capability[]=authtype
 108         authtype=Basic
 109         credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 110         EOF
 111
 112         # Basic base64(alice:secret-passwd)
 113         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 114         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 115         EOF
 116
 117         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 118         id=1 status=200
 119         id=default response=WWW-Authenticate: Basic realm="example.com"
 120         EOF
 121
 122         test_config_global credential.helper test-helper &&
 123         GIT_CURL_VERBOSE=1 git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 124
 125         expect_credential_query get <<-EOF &&
 126         capability[]=authtype
 127         capability[]=state
 128         protocol=http
 129         host=$HTTPD_DEST
 130         wwwauth[]=Basic realm="example.com"
 131         EOF
 132
 133         expect_credential_query store <<-EOF
 134         capability[]=authtype
 135         authtype=Basic
 136         credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 137         protocol=http
 138         host=$HTTPD_DEST
 139         EOF
 140 '
 141
 142 test_expect_success 'access using basic auth invalid credentials' '
 143         test_when_finished "per_test_cleanup" &&
 144
 145         set_credential_reply get <<-EOF &&
 146         username=baduser
 147         password=wrong-passwd
 148         EOF
 149
 150         # Basic base64(alice:secret-passwd)
 151         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 152         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 153         EOF
 154
 155         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 156         id=1 status=200
 157         id=default response=WWW-Authenticate: Basic realm="example.com"
 158         EOF
 159
 160         test_config_global credential.helper test-helper &&
 161         test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 162
 163         expect_credential_query get <<-EOF &&
 164         capability[]=authtype
 165         capability[]=state
 166         protocol=http
 167         host=$HTTPD_DEST
 168         wwwauth[]=Basic realm="example.com"
 169         EOF
 170
 171         expect_credential_query erase <<-EOF
 172         protocol=http
 173         host=$HTTPD_DEST
 174         username=baduser
 175         password=wrong-passwd
 176         wwwauth[]=Basic realm="example.com"
 177         EOF
 178 '
 179
 180 test_expect_success 'access using basic auth with extra challenges' '
 181         test_when_finished "per_test_cleanup" &&
 182
 183         set_credential_reply get <<-EOF &&
 184         username=alice
 185         password=secret-passwd
 186         EOF
 187
 188         # Basic base64(alice:secret-passwd)
 189         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 190         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 191         EOF
 192
 193         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 194         id=1 status=200
 195         id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
 196         id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
 197         id=default response=WWW-Authenticate: Basic realm="example.com"
 198         EOF
 199
 200         test_config_global credential.helper test-helper &&
 201         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 202
 203         expect_credential_query get <<-EOF &&
 204         capability[]=authtype
 205         capability[]=state
 206         protocol=http
 207         host=$HTTPD_DEST
 208         wwwauth[]=FooBar param1="value1" param2="value2"
 209         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 210         wwwauth[]=Basic realm="example.com"
 211         EOF
 212
 213         expect_credential_query store <<-EOF
 214         protocol=http
 215         host=$HTTPD_DEST
 216         username=alice
 217         password=secret-passwd
 218         EOF
 219 '
 220
 221 test_expect_success 'access using basic auth mixed-case wwwauth header name' '
 222         test_when_finished "per_test_cleanup" &&
 223
 224         set_credential_reply get <<-EOF &&
 225         username=alice
 226         password=secret-passwd
 227         EOF
 228
 229         # Basic base64(alice:secret-passwd)
 230         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 231         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 232         EOF
 233
 234         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 235         id=1 status=200
 236         id=default response=www-authenticate: foobar param1="value1" param2="value2"
 237         id=default response=WWW-AUTHENTICATE: BEARER authorize_uri="id.example.com" p=1 q=0
 238         id=default response=WwW-aUtHeNtIcAtE: baSiC realm="example.com"
 239         EOF
 240
 241         test_config_global credential.helper test-helper &&
 242         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 243
 244         expect_credential_query get <<-EOF &&
 245         capability[]=authtype
 246         capability[]=state
 247         protocol=http
 248         host=$HTTPD_DEST
 249         wwwauth[]=foobar param1="value1" param2="value2"
 250         wwwauth[]=BEARER authorize_uri="id.example.com" p=1 q=0
 251         wwwauth[]=baSiC realm="example.com"
 252         EOF
 253
 254         expect_credential_query store <<-EOF
 255         protocol=http
 256         host=$HTTPD_DEST
 257         username=alice
 258         password=secret-passwd
 259         EOF
 260 '
 261
 262 test_expect_success 'access using basic auth with wwwauth header continuations' '
 263         test_when_finished "per_test_cleanup" &&
 264
 265         set_credential_reply get <<-EOF &&
 266         username=alice
 267         password=secret-passwd
 268         EOF
 269
 270         # Basic base64(alice:secret-passwd)
 271         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 272         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 273         EOF
 274
 275         # Note that leading and trailing whitespace is important to correctly
 276         # simulate a continuation/folded header.
 277         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 278         id=1 status=200
 279         id=default response=WWW-Authenticate: FooBar param1="value1"
 280         id=default response= param2="value2"
 281         id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com"
 282         id=default response= p=1
 283         id=default response= q=0
 284         id=default response=WWW-Authenticate: Basic realm="example.com"
 285         EOF
 286
 287         test_config_global credential.helper test-helper &&
 288         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 289
 290         expect_credential_query get <<-EOF &&
 291         capability[]=authtype
 292         capability[]=state
 293         protocol=http
 294         host=$HTTPD_DEST
 295         wwwauth[]=FooBar param1="value1" param2="value2"
 296         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 297         wwwauth[]=Basic realm="example.com"
 298         EOF
 299
 300         expect_credential_query store <<-EOF
 301         protocol=http
 302         host=$HTTPD_DEST
 303         username=alice
 304         password=secret-passwd
 305         EOF
 306 '
 307
 308 test_expect_success 'access using basic auth with wwwauth header empty continuations' '
 309         test_when_finished "per_test_cleanup" &&
 310
 311         set_credential_reply get <<-EOF &&
 312         username=alice
 313         password=secret-passwd
 314         EOF
 315
 316         # Basic base64(alice:secret-passwd)
 317         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 318         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 319         EOF
 320
 321         CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
 322
 323         # Note that leading and trailing whitespace is important to correctly
 324         # simulate a continuation/folded header.
 325         printf "id=1 status=200\n" >"$CHALLENGE" &&
 326         printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" &&
 327         printf "id=default response= \r\n" >>"$CHALLENGE" &&
 328         printf "id=default response= param2=\"value2\"\r\n" >>"$CHALLENGE" &&
 329         printf "id=default response=WWW-Authenticate: Bearer authorize_uri=\"id.example.com\"\r\n" >>"$CHALLENGE" &&
 330         printf "id=default response= p=1\r\n" >>"$CHALLENGE" &&
 331         printf "id=default response= \r\n" >>"$CHALLENGE" &&
 332         printf "id=default response= q=0\r\n" >>"$CHALLENGE" &&
 333         printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"\r\n" >>"$CHALLENGE" &&
 334
 335         test_config_global credential.helper test-helper &&
 336         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 337
 338         expect_credential_query get <<-EOF &&
 339         capability[]=authtype
 340         capability[]=state
 341         protocol=http
 342         host=$HTTPD_DEST
 343         wwwauth[]=FooBar param1="value1" param2="value2"
 344         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 345         wwwauth[]=Basic realm="example.com"
 346         EOF
 347
 348         expect_credential_query store <<-EOF
 349         protocol=http
 350         host=$HTTPD_DEST
 351         username=alice
 352         password=secret-passwd
 353         EOF
 354 '
 355
 356 test_expect_success 'access using basic auth with wwwauth header mixed line-endings' '
 357         test_when_finished "per_test_cleanup" &&
 358
 359         set_credential_reply get <<-EOF &&
 360         username=alice
 361         password=secret-passwd
 362         EOF
 363
 364         # Basic base64(alice:secret-passwd)
 365         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 366         id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
 367         EOF
 368
 369         CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
 370
 371         # Note that leading and trailing whitespace is important to correctly
 372         # simulate a continuation/folded header.
 373         printf "id=1 status=200\n" >"$CHALLENGE" &&
 374         printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" &&
 375         printf "id=default response= \r\n" >>"$CHALLENGE" &&
 376         printf "id=default response=\tparam2=\"value2\"\r\n" >>"$CHALLENGE" &&
 377         printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"" >>"$CHALLENGE" &&
 378
 379         test_config_global credential.helper test-helper &&
 380         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 381
 382         expect_credential_query get <<-EOF &&
 383         capability[]=authtype
 384         capability[]=state
 385         protocol=http
 386         host=$HTTPD_DEST
 387         wwwauth[]=FooBar param1="value1" param2="value2"
 388         wwwauth[]=Basic realm="example.com"
 389         EOF
 390
 391         expect_credential_query store <<-EOF
 392         protocol=http
 393         host=$HTTPD_DEST
 394         username=alice
 395         password=secret-passwd
 396         EOF
 397 '
 398
 399 test_expect_success 'access using bearer auth' '
 400         test_when_finished "per_test_cleanup" &&
 401
 402         set_credential_reply get <<-EOF &&
 403         capability[]=authtype
 404         authtype=Bearer
 405         credential=YS1naXQtdG9rZW4=
 406         EOF
 407
 408         # Basic base64(a-git-token)
 409         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 410         id=1 creds=Bearer YS1naXQtdG9rZW4=
 411         EOF
 412
 413         CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
 414
 415         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 416         id=1 status=200
 417         id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
 418         id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
 419         id=default response=WWW-Authenticate: Basic realm="example.com"
 420         EOF
 421
 422         test_config_global credential.helper test-helper &&
 423         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 424
 425         expect_credential_query get <<-EOF &&
 426         capability[]=authtype
 427         capability[]=state
 428         protocol=http
 429         host=$HTTPD_DEST
 430         wwwauth[]=FooBar param1="value1" param2="value2"
 431         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 432         wwwauth[]=Basic realm="example.com"
 433         EOF
 434
 435         expect_credential_query store <<-EOF
 436         capability[]=authtype
 437         authtype=Bearer
 438         credential=YS1naXQtdG9rZW4=
 439         protocol=http
 440         host=$HTTPD_DEST
 441         EOF
 442 '
 443
 444 test_expect_success 'access using bearer auth with invalid credentials' '
 445         test_when_finished "per_test_cleanup" &&
 446
 447         set_credential_reply get <<-EOF &&
 448         capability[]=authtype
 449         authtype=Bearer
 450         credential=incorrect-token
 451         EOF
 452
 453         # Basic base64(a-git-token)
 454         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 455         id=1 creds=Bearer YS1naXQtdG9rZW4=
 456         EOF
 457
 458         CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
 459
 460         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 461         id=1 status=200
 462         id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
 463         id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
 464         id=default response=WWW-Authenticate: Basic realm="example.com"
 465         EOF
 466
 467         test_config_global credential.helper test-helper &&
 468         test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 469
 470         expect_credential_query get <<-EOF &&
 471         capability[]=authtype
 472         capability[]=state
 473         protocol=http
 474         host=$HTTPD_DEST
 475         wwwauth[]=FooBar param1="value1" param2="value2"
 476         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 477         wwwauth[]=Basic realm="example.com"
 478         EOF
 479
 480         expect_credential_query erase <<-EOF
 481         capability[]=authtype
 482         authtype=Bearer
 483         credential=incorrect-token
 484         protocol=http
 485         host=$HTTPD_DEST
 486         wwwauth[]=FooBar param1="value1" param2="value2"
 487         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 488         wwwauth[]=Basic realm="example.com"
 489         EOF
 490 '
 491
 492 test_expect_success 'access using three-legged auth' '
 493         test_when_finished "per_test_cleanup" &&
 494
 495         set_credential_reply get <<-EOF &&
 496         capability[]=authtype
 497         capability[]=state
 498         authtype=Multistage
 499         credential=YS1naXQtdG9rZW4=
 500         state[]=helper:foobar
 501         continue=1
 502         EOF
 503
 504         set_credential_reply get foobar <<-EOF &&
 505         capability[]=authtype
 506         capability[]=state
 507         authtype=Multistage
 508         credential=YW5vdGhlci10b2tlbg==
 509         state[]=helper:bazquux
 510         EOF
 511
 512         cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
 513         id=1 creds=Multistage YS1naXQtdG9rZW4=
 514         id=2 creds=Multistage YW5vdGhlci10b2tlbg==
 515         EOF
 516
 517         CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
 518
 519         cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
 520         id=1 status=401 response=WWW-Authenticate: Multistage challenge="456"
 521         id=1 status=401 response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
 522         id=2 status=200
 523         id=default response=WWW-Authenticate: Multistage challenge="123"
 524         id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
 525         EOF
 526
 527         test_config_global credential.helper test-helper &&
 528         git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
 529
 530         expect_credential_query get <<-EOF &&
 531         capability[]=authtype
 532         capability[]=state
 533         protocol=http
 534         host=$HTTPD_DEST
 535         wwwauth[]=Multistage challenge="123"
 536         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 537         EOF
 538
 539         expect_credential_query get foobar <<-EOF &&
 540         capability[]=authtype
 541         capability[]=state
 542         authtype=Multistage
 543         protocol=http
 544         host=$HTTPD_DEST
 545         wwwauth[]=Multistage challenge="456"
 546         wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
 547         state[]=helper:foobar
 548         EOF
 549
 550         expect_credential_query store bazquux <<-EOF
 551         capability[]=authtype
 552         capability[]=state
 553         authtype=Multistage
 554         credential=YW5vdGhlci10b2tlbg==
 555         protocol=http
 556         host=$HTTPD_DEST
 557         state[]=helper:bazquux
 558         EOF
 559 '
 560
 561 test_done