test/integration/test-authentication-basic


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

#!/bin/sh
set -e

TESTDIR="$(readlink -f "$(dirname "$0")")"
. "$TESTDIR/framework"

setupenvironment
configarchitecture 'i386'

insertpackage 'unstable' 'foo' 'all' '1'
setupaptarchive --no-update

changetohttpswebserver --authorization="$(printf '%s' 'star@irc:hunter2' | base64 )"

echo 'See, when YOU type hunter2, it shows to us as *******' > aptarchive/bash
echo 'Debug::Acquire::netrc "true";' > rootdir/etc/apt/apt.conf.d/netrcdebug.conf

testauthfailure() {
	testfailure apthelper download-file "${1}/bash" ./downloaded/bash
	# crappy test, but http and https output are wastely different…
	testsuccess grep 401 rootdir/tmp/testfailure.output
	testfailure test -s ./downloaded/bash
}

testauthsuccess() {
	testsuccess apthelper download-file "${1}/bash" ./downloaded/bash
	testfileequal ./downloaded/bash "$(cat aptarchive/bash)"
	testfilestats ./downloaded/bash '%U:%G:%a' '=' "${TEST_DEFAULT_USER}:${TEST_DEFAULT_GROUP}:644"
	rm -f ./downloaded/bash

	# lets see if got/retains acceptable permissions
	if [ -n "$AUTHCONF" ]; then
		if [ "$(id -u)" = '0' ]; then
			testfilestats "$AUTHCONF" '%U:%G:%a' '=' "_apt:$(id -gn):600"
		else
			testfilestats "$AUTHCONF" '%U:%G:%a' '=' "${TEST_DEFAULT_USER}:${TEST_DEFAULT_GROUP}:600"
		fi
	fi

	rm -rf rootdir/var/lib/apt/lists
	if expr index "$1" '@' >/dev/null; then
		testsuccesswithnotice aptget update
	else
		testsuccess aptget update
	fi
	testsuccessequal 'Reading package lists...
Building dependency tree...
The following NEW packages will be installed:
  foo
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Inst foo (1 unstable [all])
Conf foo (1 unstable [all])' aptget install foo -s
}

authfile() {
	local AUTHCONF="${2:-rootdir/etc/apt/auth.conf}"
	mkdir -p "$(dirname "$AUTHCONF")"
	rm -f "$AUTHCONF"
	printf '%s' "$1" > "$AUTHCONF"
	chmod 600 "$AUTHCONF"
}

runtest() {
	# unauthorized fails
	authfile ''
	testauthfailure "$1"

	protocol="${1%%://*}"

	# good auth
	authfile "machine ${protocol}://localhost
login star@irc
password hunter2"
	testauthsuccess "$1"

	# bad auth
	authfile "machine ${protocol}://localhost
login anonymous
password hunter2"
	testauthfailure "$1"

	# 2 stanzas: unmatching + good auth
	authfile "machine ${protocol}://debian.org
login debian
password jessie

machine ${protocol}://localhost
login star@irc
password hunter2"
	testauthsuccess "$1"

	# no protocol specifier
	authfile "machine localhost
login star@irc
password hunter2"
	if [ "$protocol" = "https" ]; then
		testauthsuccess "$1"
	else
		testfailure apthelper download-file "${1}/bash" ./downloaded/bash
		testsuccessequal "W: ${1}/bash: ${TMPWORKINGDIRECTORY}/rootdir/etc/apt/auth.conf: Credentials for localhost match, but the protocol is not encrypted. Annotate with http:// to use." grep "Credentials.*match" rootdir/tmp/testfailure.output
		testauthfailure "$1"
	fi

	# wrong protocol specifier
	if [ "$protocol" = "https" ]; then
		authfile "machine http://localhost
login star@irc
password hunter2"
	else
		authfile "machine https://localhost
login star@irc
password hunter2"
	fi
	testauthfailure "$1"

	# delete file, make sure it fails; add auth.conf.d snippet, works again.
	rm rootdir/etc/apt/auth.conf
	testauthfailure "$1"

	authfile  "machine ${protocol}://localhost
login star@irc
password hunter2" rootdir/etc/apt/auth.conf.d/myauth.conf
	testauthsuccess "$1"
	rm rootdir/etc/apt/auth.conf.d/myauth.conf
}

msgmsg 'server basic auth'
rewritesourceslist "http://localhost:${APTHTTPPORT}"
runtest "http://localhost:${APTHTTPPORT}"
rewritesourceslist "http://star%40irc:hunter2@localhost:${APTHTTPPORT}"
authfile ''
testauthsuccess "http://star%40irc:hunter2@localhost:${APTHTTPPORT}"
rewritesourceslist "https://localhost:${APTHTTPSPORT}"
runtest "https://localhost:${APTHTTPSPORT}"
rewritesourceslist "http://localhost:${APTHTTPPORT}"

msgmsg 'proxy to server basic auth'
webserverconfig 'aptwebserver::request::absolute' 'uri'
# using ip instead of localhost avoids picking up the auth for the repo
# for the proxy as well as we serve them both over the same server…
export http_proxy="http://127.0.0.1:${APTHTTPPORT}"
runtest "http://localhost:${APTHTTPPORT}"
unset http_proxy

msgmsg 'proxy basic auth to server basic auth'
webserverconfig 'aptwebserver::proxy-authorization' "$(printf 'moon:deer2' | base64)"
export http_proxy="http://moon:deer2@localhost:${APTHTTPPORT}"
runtest "http://localhost:${APTHTTPPORT}"

msgmsg 'proxy basic auth to server'
authfile ''
webserverconfig 'aptwebserver::authorization' ''
testauthsuccess "http://localhost:${APTHTTPPORT}"