From: Ronald J Kimball <rjk@tamias.net>
Date: Tue, 26 Jun 2012 20:27:04 +0000 (-0400)
Subject: Add broken_dotnet_digest_without_query_string option
X-Git-Tag: v1.015~3^2~1
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=47a916e2bcad13df7549b64691fd8ac15b475441;hp=ae265059fb63ec8f6bdc81268a6d3daa7950c034;p=catagits%2FCatalyst-Authentication-Credential-HTTP.git

Add broken_dotnet_digest_without_query_string option

Allows digest authentication from .NET, which does not include the query
string in the uri in the digest Authorization header.

Add tests, update POD.
---

diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm
index eb56668..d7d6699 100644
--- a/lib/Catalyst/Authentication/Credential/HTTP.pm
+++ b/lib/Catalyst/Authentication/Credential/HTTP.pm
@@ -20,6 +20,7 @@ __PACKAGE__->mk_accessors(qw/
     use_uri_for
     no_unprompted_authorization_required
     require_ssl
+    broken_dotnet_digest_without_query_string
 /);
 
 our $VERSION = '1.014';
@@ -130,7 +131,9 @@ sub authenticate_digest {
         my $algorithm   = $res{algorithm} || 'MD5';
         my $nonce_count = '0x' . $res{nc};
 
-        my $check = $uri eq $res{uri}
+        my $check = ($uri eq $res{uri} ||
+                     ($self->broken_dotnet_digest_without_query_string &&
+                      $c->request->uri->path eq $res{uri}))
           && ( exists $res{username} )
           && ( exists $res{qop} )
           && ( exists $res{cnonce} )
@@ -637,6 +640,15 @@ return a 401 response in your application), and even some automated
 user agents (for APIs) will not send the Authorization header without
 specific manipulation of the request headers.
 
+=item broken_dotnet_digest_without_query_string
+
+Enables support for .NET (or other similarly broken clients), which
+fails to include the query string in the uri in the digest
+Authorization header.
+
+This option has no effect on clients that include the query string;
+they will continue to work as normal.
+
 =back
 
 =head1 RESTRICTIONS
@@ -675,6 +687,8 @@ Patches contributed by:
 
 =item Devin Austin (dhoss) C<dhoss@cpan.org>
 
+=item Ronald J Kimball
+
 =back
 
 =head1 SEE ALSO
diff --git a/t/lib/AuthDigestDotnetTestApp.pm b/t/lib/AuthDigestDotnetTestApp.pm
new file mode 100644
index 0000000..57a530a
--- /dev/null
+++ b/t/lib/AuthDigestDotnetTestApp.pm
@@ -0,0 +1,42 @@
+package AuthDigestDotnetTestApp;
+use Catalyst qw/
+    Authentication
+    Cache
+/;
+
+our %users;
+my $digest_pass = Digest::MD5->new;
+$digest_pass->add('Mufasa2:testrealm@host.com:Circle Of Life');
+%users = (
+        Mufasa  => { pass         => "Circle Of Life",          },
+        Mufasa2 => { pass         => $digest_pass->hexdigest, },
+);
+__PACKAGE__->config(
+    cache => {
+        backend => {
+            class => 'Cache::FileCache',
+        },
+    },
+    authentication => {
+        default_realm => 'testrealm@host.com',
+        realms => {
+            'testrealm@host.com' => {
+                store => {
+                    class => 'Minimal',
+                    users => \%users,
+                },
+                credential => {
+                    class => 'HTTP',
+                    type  => 'digest',
+                    password_type => 'clear',
+                    password_field => 'pass',
+                    broken_dotnet_digest_without_query_string => 1,
+                },
+            },
+        },
+    },
+);
+__PACKAGE__->setup;
+
+1;
+
diff --git a/t/lib/AuthDigestDotnetTestApp/Controller/Root.pm b/t/lib/AuthDigestDotnetTestApp/Controller/Root.pm
new file mode 100644
index 0000000..d7c49e8
--- /dev/null
+++ b/t/lib/AuthDigestDotnetTestApp/Controller/Root.pm
@@ -0,0 +1,17 @@
+package AuthDigestDotnetTestApp::Controller::Root;
+use strict;
+use warnings;
+
+use base qw/ Catalyst::Controller /;
+
+__PACKAGE__->config(namespace => '');
+
+sub moose : Local {
+    my ( $self, $c ) = @_;
+    #$c->authenticate( { realm => 'testrealm@host.com' } );
+    $c->authenticate();
+    $c->res->body( $c->user->id );
+}
+
+1;
+
diff --git a/t/live_app_digest_dotnet.t b/t/live_app_digest_dotnet.t
new file mode 100644
index 0000000..5a3b23e
--- /dev/null
+++ b/t/live_app_digest_dotnet.t
@@ -0,0 +1,92 @@
+#!/usr/bin/perl
+use strict;
+use warnings;
+use FindBin qw/$Bin/;
+use lib "$Bin/lib";
+use Test::More;
+BEGIN {
+    do {
+        eval { require Test::WWW::Mechanize::Catalyst }
+        and
+        Test::WWW::Mechanize::Catalyst->VERSION('0.51')
+    }
+      or plan skip_all =>
+      "Test::WWW::Mechanize::Catalyst is needed for this test";
+    eval { require Catalyst::Plugin::Cache }
+      or plan skip_all =>
+      "Catalyst::Plugin::Cache is needed for this test";
+    eval { require Cache::FileCache }
+      or plan skip_all =>
+      "Cache::FileCache is needed for this test";
+    plan tests => 19;
+}
+use Digest::MD5;
+use HTTP::Request;
+use Test::More;
+use Test::WWW::Mechanize::Catalyst;
+
+sub do_test {
+    my ($username, $uri, $emulate_dotnet, $fail) = @_;
+    my $app = $fail ? 'AuthDigestTestApp' : 'AuthDigestDotnetTestApp';
+    my $mech = Test::WWW::Mechanize::Catalyst->new(catalyst_app => $app);
+    $mech->get("http://localhost/moose");
+    is( $mech->status, 401, "status is 401" );
+    my $www_auth = $mech->res->headers->header('WWW-Authenticate');
+    my %www_auth_params = map {
+        my @key_val = split /=/, $_, 2;
+        $key_val[0] = lc $key_val[0];
+        $key_val[1] =~ s{"}{}g;    # remove the quotes
+        @key_val;
+    } split /, /, substr( $www_auth, 7 );    #7 == length "Digest "
+    $mech->content_lacks( "foo", "no output" );
+    my $response = '';
+    {
+        my $password = 'Circle Of Life';
+        my $realm    = $www_auth_params{realm};
+        my $nonce    = $www_auth_params{nonce};
+        my $cnonce   = '0a4f113b';
+        my $opaque   = $www_auth_params{opaque};
+        my $nc       = '00000001';
+        my $method   = 'GET';
+        my $qop      = 'auth';
+        $uri         ||= '/moose';
+        my $auth_uri = $uri;
+        if ($emulate_dotnet) {
+          $auth_uri =~ s/\?.*//;
+        }
+        my $ctx = Digest::MD5->new;
+        $ctx->add( join( ':', $username, $realm, $password ) );
+        my $A1_digest = $ctx->hexdigest;
+        $ctx = Digest::MD5->new;
+        $ctx->add( join( ':', $method, $auth_uri ) );
+        my $A2_digest = $ctx->hexdigest;
+        my $digest = Digest::MD5::md5_hex(
+            join( ':',
+                $A1_digest, $nonce, $qop ? ( $nc, $cnonce, $qop ) : (), $A2_digest )
+        );
+
+        $response = qq{Digest username="$username", realm="$realm", nonce="$nonce", uri="$auth_uri", qop=$qop, nc=$nc, cnonce="$cnonce", response="$digest", opaque="$opaque"};
+    }
+    my $r = HTTP::Request->new( GET => "http://localhost" . $uri );
+    $mech->request($r);
+    $r->headers->push_header( Authorization => $response );
+    $mech->request($r);
+    if ($fail) {
+      is( $mech->status, 400, "status is 400" );
+    } else {
+      is( $mech->status, 200, "status is 200" );
+      $mech->content_contains( $username, "Mufasa output" );
+    }
+}
+
+do_test('Mufasa');
+do_test('Mufasa2');
+# Test with query string
+do_test('Mufasa2', '/moose?moose_id=1');
+# Test with query string, emulating .NET, which omits the query string
+# from the Authorization header
+do_test('Mufasa2', '/moose?moose_id=1', 1);
+
+# Test with query string, emulating .NET, against app without .NET setting;
+# authorization should fail
+do_test('Mufasa2', '/moose?moose_id=1', 1, 1);