From e6f1a0654582402a63cd31d6aa4ec2d45297de3e Mon Sep 17 00:00:00 2001 From: Jocelyn Fiat Date: Fri, 8 Nov 2013 18:14:40 +0100 Subject: [PATCH] Fixed issue with unicode login:password Added EIS info Added testing cases. --- .../src/http_authorization.e | 137 ++++++++++++------ .../testing/http_authorization_tests.e | 57 ++++++++ .../testing/testing-safe.ecf | 19 +++ 3 files changed, 167 insertions(+), 46 deletions(-) create mode 100644 library/server/authentication/http_authorization/testing/http_authorization_tests.e create mode 100644 library/server/authentication/http_authorization/testing/testing-safe.ecf diff --git a/library/server/authentication/http_authorization/src/http_authorization.e b/library/server/authentication/http_authorization/src/http_authorization.e index 9e00dc70..f0ecb6e1 100644 --- a/library/server/authentication/http_authorization/src/http_authorization.e +++ b/library/server/authentication/http_authorization/src/http_authorization.e @@ -1,8 +1,12 @@ note - description : "Objects that ..." - author : "$Author$" - date : "$Date$" - revision : "$Revision$" + description : "[ + Object representing Authorization http header + ]" + date: "$Date$" + revision: "$Revision$" + EIS: "name=RFC2617 HTTP Authentication: Basic and Digest Access Authentication", "protocol=URI", "src=http://tools.ietf.org/html/rfc2617" + EIS: "name=Wikipedia Basic Access Authentication", "protocol=URI", "src=http://en.wikipedia.org/wiki/Basic_access_authentication" + EIS: "name=Wikipedia Digest Access Authentication", "protocol=URI", "src=http://en.wikipedia.org/wiki/Digest_access_authentication" class HTTP_AUTHORIZATION @@ -10,6 +14,8 @@ class inherit REFACTORING_HELPER + DEBUG_OUTPUT + create make, make_basic_auth, @@ -17,94 +23,133 @@ create feature {NONE} -- Initialization - make (a_http_authorization: detachable READABLE_STRING_GENERAL) + make (a_http_authorization: READABLE_STRING_8) -- Initialize `Current'. local i: INTEGER t, s: STRING_8 - u,p: READABLE_STRING_8 + u,p: READABLE_STRING_32 + utf: UTF_CONVERTER do - if a_http_authorization /= Void then - s := a_http_authorization.as_string_8 - create http_authorization.make_from_string (s) - if not s.is_empty then - i := 1 - if s[i] = ' ' then - i := i + 1 - end - i := s.index_of (' ', i) - if i > 0 then - t := s.substring (1, i - 1).as_lower - t.right_adjust; t.left_adjust - type := t - if t.same_string ("basic") then - s := (create {BASE64}).decoded_string (s.substring (i + 1, s.count)) - i := s.index_of (':', 1) --| Let's assume ':' is forbidden in login ... - if i > 0 then - u := s.substring (1, i - 1).as_string_32 - p := s.substring (i + 1, s.count).as_string_32 - login := u - password := p - check - (create {HTTP_AUTHORIZATION}.make_custom_auth (u, p, t)).http_authorization ~ http_authorization - end + create http_authorization.make_from_string (a_http_authorization) + create t.make_empty + type := t + if not a_http_authorization.is_empty then + i := 1 + if a_http_authorization[i] = ' ' then + i := i + 1 + end + i := a_http_authorization.index_of (' ', i) + if i > 0 then + t.append (a_http_authorization.substring (1, i - 1)) + t.right_adjust; t.left_adjust + if t.same_string (Basic_auth_type) then + type := Basic_auth_type + s := (create {BASE64}).decoded_string (a_http_authorization.substring (i + 1, a_http_authorization.count)) + i := s.index_of (':', 1) --| Let's assume ':' is forbidden in login ... + if i > 0 then + u := utf.utf_8_string_8_to_string_32 (s.substring (1, i - 1)) -- UTF_8 decoding to support unicode password + p := utf.utf_8_string_8_to_string_32 (s.substring (i + 1, s.count)) -- UTF_8 decoding to support unicode password + login := u + password := p + check + (create {HTTP_AUTHORIZATION}.make_custom_auth (u, p, t)).http_authorization ~ http_authorization end - elseif t.same_string ("digest") then - to_implement ("HTTP Authorization %"digest%", not yet implemented") - else - to_implement ("HTTP Authorization %""+ t +"%", not yet implemented") end + elseif t.same_string (Digest_auth_type) then + type := Digest_auth_type + to_implement ("HTTP Authorization %"digest%", not yet implemented") + else + to_implement ("HTTP Authorization %""+ t +"%", not yet implemented") end end - else - http_authorization := Void end end make_basic_auth (u: READABLE_STRING_32; p: READABLE_STRING_32) + -- Create a Basic authentication. do - make_custom_auth (u, p, "basic") + make_custom_auth (u, p, Basic_auth_type) end make_custom_auth (u: READABLE_STRING_32; p: READABLE_STRING_32; a_type: READABLE_STRING_8) + -- Create a custom `a_type' authentication. + require + a_type_accepted: a_type.is_case_insensitive_equal (Basic_auth_type) + or a_type.is_case_insensitive_equal (Digest_auth_type) local t: STRING_8 + utf: UTF_CONVERTER do login := u password := p - create t.make_from_string (a_type.as_lower) + create t.make_from_string (a_type) t.left_adjust; t.right_adjust type := t - if t.same_string ("basic") then - create http_authorization.make_from_string ("Basic " + (create {BASE64}).encoded_string (u + ":" + p)) + if t.is_case_insensitive_equal (Basic_auth_type) then + type := Basic_auth_type + create http_authorization.make_from_string ("Basic " + (create {BASE64}).encoded_string (utf.string_32_to_utf_8_string_8 (u + {STRING_32} ":" + p))) + elseif t.is_case_insensitive_equal (Digest_auth_type) then + type := Digest_auth_type + to_implement ("HTTP Authorization %""+ t +"%", not yet implemented") + create http_authorization.make_from_string (t + " ...NOT IMPLEMENTED") else to_implement ("HTTP Authorization %""+ t +"%", not yet implemented") + create http_authorization.make_from_string ("Digest ...NOT IMPLEMENTED") end end feature -- Access - type: detachable READABLE_STRING_8 + http_authorization: IMMUTABLE_STRING_8 + + type: READABLE_STRING_8 login: detachable READABLE_STRING_32 password: detachable READABLE_STRING_32 - http_authorization: detachable IMMUTABLE_STRING_8 - feature -- Status report is_basic: BOOLEAN -- Is Basic authorization? do - if attached type as t then - Result := t.same_string ("basic") + Result := type.is_case_insensitive_equal (Basic_auth_type) + end + + is_digest: BOOLEAN + -- Is Basic authorization? + do + Result := type.is_case_insensitive_equal (Digest_auth_type) + end + + debug_output: STRING_32 + -- String that should be displayed in debugger to represent `Current'. + do + create Result.make_empty + Result.append (type) + Result.append (" ") + if attached login as l_login then + Result.append ("login=[") + Result.append (l_login) + Result.append ("] ") + end + if attached password as l_password then + Result.append ("password=[") + Result.append (l_password) + Result.append ("] ") end end +feature -- Constants + + Basic_auth_type: STRING_8 = "Basic" + Digest_auth_type: STRING_8 = "Digest" + invariant - type_is_lower: attached type as t implies t.same_string (t.as_lower) + type_valid: (type.is_case_insensitive_equal (basic_auth_type) implies type = basic_auth_type) + or (type.is_case_insensitive_equal (Digest_auth_type) implies type = Digest_auth_type) end diff --git a/library/server/authentication/http_authorization/testing/http_authorization_tests.e b/library/server/authentication/http_authorization/testing/http_authorization_tests.e new file mode 100644 index 00000000..c6cdcfec --- /dev/null +++ b/library/server/authentication/http_authorization/testing/http_authorization_tests.e @@ -0,0 +1,57 @@ +note + description: "[ + Eiffel tests that can be executed by testing tool. + ]" + author: "EiffelStudio test wizard" + date: "$Date$" + revision: "$Revision$" + testing: "type/manual" + +class + HTTP_AUTHORIZATION_TESTS + +inherit + EQA_TEST_SET + +feature -- Test routines + + test_basic + -- New test routine + local + l_auth: READABLE_STRING_8 + u,p: detachable READABLE_STRING_32 + h: HTTP_AUTHORIZATION + do + l_auth := "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" + create h.make (l_auth) + assert ("login", attached h.login as l_login and then l_login.same_string ("Aladdin")) + assert ("password", attached h.password as l_password and then l_password.same_string ("open sesame")) + + check_basic_auth_for_login_password ("Aladdin", "open sesame", "Aladdin") + check_basic_auth_for_login_password ("", "", "empty") + check_basic_auth_for_login_password ("@#$@%%@??<.,.,", "@@#$&)&*>M:ASDFDSA''", "symbol") + check_basic_auth_for_login_password ({STRING_32} "%/20320/%/22909/%/21527/", {STRING_32}"%/20320/%/22909/%/21527/", "unicode") + check_basic_auth_for_login_password (create {STRING_32}.make_filled ('u', 100) + {STRING_32}"%/20320/%/22909/%/21527/", create {STRING_32}.make_filled ('p', 100) + {STRING_32}"%/20320/%/22909/%/21527/", "long unicode") + end + +feature -- Impl + + check_basic_auth_for_login_password (u,p: READABLE_STRING_32; a_title: READABLE_STRING_8) + local + h: HTTP_AUTHORIZATION + l_auth: READABLE_STRING_8 + do + create h.make_basic_auth (u, p) + assert (a_title + ":login", attached h.login as l_login and then l_login.same_string (u)) + assert (a_title + ":password", attached h.password as l_password and then l_password.same_string (p)) + l_auth := h.http_authorization + + create h.make (l_auth) + assert (a_title + ":basic", h.type.is_case_insensitive_equal ("Basic")) + assert (a_title + ":login", attached h.login as l_login and then l_login.same_string (u)) + assert (a_title + ":password", attached h.password as l_password and then l_password.same_string (p)) + end + +end + + diff --git a/library/server/authentication/http_authorization/testing/testing-safe.ecf b/library/server/authentication/http_authorization/testing/testing-safe.ecf new file mode 100644 index 00000000..9361f348 --- /dev/null +++ b/library/server/authentication/http_authorization/testing/testing-safe.ecf @@ -0,0 +1,19 @@ + + + + + + /.git$ + /EIFGENs$ + /.svn$ + + + + + + + + +