mirrors
/
gitblit
mirror of https://github.com/gitblit/gitblit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 43 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1550 Commits
11 Branches
Tree: 04a98505a4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '04a98505a4'
${ noResults }
gitblit/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest....

HtpasswdAuthenticationTest.java 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365 
  1. /*

  2.  * Copyright 2013 gitblit.com.

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *     http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. package com.gitblit.tests;

  17. 

  18. import java.io.File;

  19. import java.io.FilenameFilter;

  20. import java.io.IOException;

  21. import java.util.HashMap;

  22. 

  23. import org.apache.commons.io.FileUtils;

  24. import org.junit.After;

  25. import org.junit.Before;

  26. import org.junit.Test;

  27. 

  28. import com.gitblit.IStoredSettings;

  29. import com.gitblit.auth.HtpasswdAuthProvider;

  30. import com.gitblit.manager.RuntimeManager;

  31. import com.gitblit.manager.UserManager;

  32. import com.gitblit.models.UserModel;

  33. import com.gitblit.tests.mock.MemorySettings;

  34. 

  35. /**

  36.  * Test the Htpasswd user service.

  37.  *

  38.  */

  39. public class HtpasswdAuthenticationTest extends GitblitUnitTest {

  40. 

  41.     private static final String RESOURCE_DIR = "src/test/resources/htpasswd/";

  42.     private static final String KEY_SUPPORT_PLAINTEXT_PWD = "realm.htpasswd.supportPlaintextPasswords";

  43. 

  44.     private static final int NUM_USERS_HTPASSWD = 10;

  45. 

  46.     private static final MemorySettings MS = new MemorySettings(new HashMap<String, Object>());

  47. 

  48.     private HtpasswdAuthProvider htpasswd;

  49. 

  50. 

  51.     private MemorySettings getSettings(String userfile, String groupfile, Boolean overrideLA)

  52.     {

  53.     	MS.put("realm.userService", RESOURCE_DIR + "users.conf");

  54.         MS.put("realm.htpasswd.userfile", (userfile == null) ? (RESOURCE_DIR + "htpasswd") : userfile);

  55.         MS.put("realm.htpasswd.groupfile", (groupfile == null) ? (RESOURCE_DIR + "htgroup") : groupfile);

  56.         MS.put("realm.htpasswd.overrideLocalAuthentication", (overrideLA == null) ? "false" : overrideLA.toString());

  57.         // Default to keep test the same on all platforms.

  58.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "false");

  59. 

  60.         return MS;

  61.     }

  62. 

  63.     private MemorySettings getSettings()

  64.     {

  65.         return getSettings(null, null, null);

  66.     }

  67. 

  68.     private void setupUS()

  69.     {

  70.         htpasswd = newHtpasswdAuthentication(getSettings());

  71.     }

  72. 

  73.     private HtpasswdAuthProvider newHtpasswdAuthentication(IStoredSettings settings) {

  74.     	RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();

  75.     	UserManager users = new UserManager(runtime).start();

  76.     	HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();

  77.     	htpasswd.setup(runtime, users);

  78.     	return htpasswd;

  79.     }

  80. 

  81. 

  82.     private void copyInFiles() throws IOException

  83.     {

  84.         File dir = new File(RESOURCE_DIR);

  85.         FilenameFilter filter = new FilenameFilter() {

  86.             @Override

  87. 			public boolean accept(File dir, String file) {

  88.                 return file.endsWith(".in");

  89.                 }

  90.             };

  91.         for (File inf : dir.listFiles(filter)) {

  92.             File dest = new File(inf.getParent(), inf.getName().substring(0, inf.getName().length() - 3));

  93.             FileUtils.copyFile(inf, dest);

  94.         }

  95.     }

  96. 

  97. 

  98.     private void deleteGeneratedFiles()

  99.     {

  100.         File dir = new File(RESOURCE_DIR);

  101.         FilenameFilter filter = new FilenameFilter() {

  102.             @Override

  103. 			public boolean accept(File dir, String file) {

  104.                 return !(file.endsWith(".in"));

  105.                 }

  106.             };

  107.         for (File file : dir.listFiles(filter)) {

  108.             file.delete();

  109.         }

  110.     }

  111. 

  112. 

  113.     @Before

  114.     public void setup() throws IOException

  115.     {

  116.         copyInFiles();

  117.         setupUS();

  118.     }

  119. 

  120. 

  121.     @After

  122.     public void tearDown()

  123.     {

  124.         deleteGeneratedFiles();

  125.     }

  126. 

  127. 

  128. 

  129.     @Test

  130.     public void testSetup() throws IOException

  131.     {

  132.         assertEquals(NUM_USERS_HTPASSWD, htpasswd.getNumberHtpasswdUsers());

  133.     }

  134. 

  135. 

  136.     @Test

  137.     public void testAuthenticate()

  138.     {

  139.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");

  140.         UserModel user = htpasswd.authenticate("user1", "pass1".toCharArray());

  141.         assertNotNull(user);

  142.         assertEquals("user1", user.username);

  143. 

  144.         user = htpasswd.authenticate("user2", "pass2".toCharArray());

  145.         assertNotNull(user);

  146.         assertEquals("user2", user.username);

  147. 

  148.         // Test different encryptions

  149.         user = htpasswd.authenticate("plain", "passWord".toCharArray());

  150.         assertNotNull(user);

  151.         assertEquals("plain", user.username);

  152. 

  153.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "false");

  154.         user = htpasswd.authenticate("crypt", "password".toCharArray());

  155.         assertNotNull(user);

  156.         assertEquals("crypt", user.username);

  157. 

  158.         user = htpasswd.authenticate("md5", "password".toCharArray());

  159.         assertNotNull(user);

  160.         assertEquals("md5", user.username);

  161. 

  162.         user = htpasswd.authenticate("sha", "password".toCharArray());

  163.         assertNotNull(user);

  164.         assertEquals("sha", user.username);

  165. 

  166. 

  167.         // Test leading and trailing whitespace

  168.         user = htpasswd.authenticate("trailing", "whitespace".toCharArray());

  169.         assertNotNull(user);

  170.         assertEquals("trailing", user.username);

  171. 

  172.         user = htpasswd.authenticate("tabbed", "frontAndBack".toCharArray());

  173.         assertNotNull(user);

  174.         assertEquals("tabbed", user.username);

  175. 

  176.         user = htpasswd.authenticate("leading", "whitespace".toCharArray());

  177.         assertNotNull(user);

  178.         assertEquals("leading", user.username);

  179.     }

  180. 

  181. 

  182.     @Test

  183.     public void testAttributes()

  184.     {

  185.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");

  186.         UserModel user = htpasswd.authenticate("user1", "pass1".toCharArray());

  187.         assertNotNull(user);

  188.         assertEquals("El Capitan", user.displayName);

  189.         assertEquals("cheffe@example.com", user.emailAddress);

  190.         assertTrue(user.canAdmin);

  191. 

  192.         user = htpasswd.authenticate("user2", "pass2".toCharArray());

  193.         assertNotNull(user);

  194.         assertEquals("User Two", user.displayName);

  195.         assertTrue(user.canCreate);

  196.         assertTrue(user.canFork);

  197.     }

  198. 

  199. 

  200.     @Test

  201.     public void testAuthenticateDenied()

  202.     {

  203.         UserModel user = null;

  204.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");

  205.         user = htpasswd.authenticate("user1", "".toCharArray());

  206.         assertNull("User 'user1' falsely authenticated.", user);

  207. 

  208.         user = htpasswd.authenticate("user1", "pass2".toCharArray());

  209.         assertNull("User 'user1' falsely authenticated.", user);

  210. 

  211.         user = htpasswd.authenticate("user2", "lalala".toCharArray());

  212.         assertNull("User 'user2' falsely authenticated.", user);

  213. 

  214. 

  215.         user = htpasswd.authenticate("user3", "disabled".toCharArray());

  216.         assertNull("User 'user3' falsely authenticated.", user);

  217. 

  218.         user = htpasswd.authenticate("user4", "disabled".toCharArray());

  219.         assertNull("User 'user4' falsely authenticated.", user);

  220. 

  221. 

  222.         user = htpasswd.authenticate("plain", "text".toCharArray());

  223.         assertNull("User 'plain' falsely authenticated.", user);

  224. 

  225.         user = htpasswd.authenticate("plain", "password".toCharArray());

  226.         assertNull("User 'plain' falsely authenticated.", user);

  227. 

  228. 

  229.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "false");

  230. 

  231.         user = htpasswd.authenticate("crypt", "".toCharArray());

  232.         assertNull("User 'cyrpt' falsely authenticated.", user);

  233. 

  234.         user = htpasswd.authenticate("crypt", "passwd".toCharArray());

  235.         assertNull("User 'crypt' falsely authenticated.", user);

  236. 

  237.         user = htpasswd.authenticate("md5", "".toCharArray());

  238.         assertNull("User 'md5' falsely authenticated.", user);

  239. 

  240.         user = htpasswd.authenticate("md5", "pwd".toCharArray());

  241.         assertNull("User 'md5' falsely authenticated.", user);

  242. 

  243.         user = htpasswd.authenticate("sha", "".toCharArray());

  244.         assertNull("User 'sha' falsely authenticated.", user);

  245. 

  246.         user = htpasswd.authenticate("sha", "letmein".toCharArray());

  247.         assertNull("User 'sha' falsely authenticated.", user);

  248. 

  249. 

  250.         user = htpasswd.authenticate("  tabbed", "frontAndBack".toCharArray());

  251.         assertNull("User 'tabbed' falsely authenticated.", user);

  252. 

  253.         user = htpasswd.authenticate("    leading", "whitespace".toCharArray());

  254.         assertNull("User 'leading' falsely authenticated.", user);

  255.     }

  256. 

  257. 

  258.     @Test

  259.     public void testCleartextIntrusion()

  260.     {

  261.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");

  262.         assertNull(htpasswd.authenticate("md5", "$apr1$qAGGNfli$sAn14mn.WKId/3EQS7KSX0".toCharArray()));

  263.         assertNull(htpasswd.authenticate("sha", "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=".toCharArray()));

  264. 

  265.         assertNull(htpasswd.authenticate("user1", "#externalAccount".toCharArray()));

  266. 

  267.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "false");

  268.         assertNull(htpasswd.authenticate("md5", "$apr1$qAGGNfli$sAn14mn.WKId/3EQS7KSX0".toCharArray()));

  269.         assertNull(htpasswd.authenticate("sha", "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=".toCharArray()));

  270. 

  271.         assertNull(htpasswd.authenticate("user1", "#externalAccount".toCharArray()));

  272.     }

  273. 

  274. 

  275.     @Test

  276.     public void testCryptVsPlaintext()

  277.     {

  278.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "false");

  279.         assertNull(htpasswd.authenticate("crypt", "6TmlbxqZ2kBIA".toCharArray()));

  280.         assertNotNull(htpasswd.authenticate("crypt", "password".toCharArray()));

  281. 

  282.         MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");

  283.         assertNotNull(htpasswd.authenticate("crypt", "6TmlbxqZ2kBIA".toCharArray()));

  284.         assertNull(htpasswd.authenticate("crypt", "password".toCharArray()));

  285.     }

  286. 

  287.     @Test

  288.     public void testChangeHtpasswdFile()

  289.     {

  290.         UserModel user;

  291. 

  292.         // User default set up.

  293.         user = htpasswd.authenticate("md5", "password".toCharArray());

  294.         assertNotNull(user);

  295.         assertEquals("md5", user.username);

  296. 

  297.         user = htpasswd.authenticate("sha", "password".toCharArray());

  298.         assertNotNull(user);

  299.         assertEquals("sha", user.username);

  300. 

  301.         user = htpasswd.authenticate("blueone", "GoBlue!".toCharArray());

  302.         assertNull(user);

  303. 

  304.         user = htpasswd.authenticate("bluetwo", "YayBlue!".toCharArray());

  305.         assertNull(user);

  306. 

  307. 

  308.         // Switch to different htpasswd file.

  309.         getSettings(RESOURCE_DIR + "htpasswd-user", null, null);

  310. 

  311.         user = htpasswd.authenticate("md5", "password".toCharArray());

  312.         assertNull(user);

  313. 

  314.         user = htpasswd.authenticate("sha", "password".toCharArray());

  315.         assertNull(user);

  316. 

  317.         user = htpasswd.authenticate("blueone", "GoBlue!".toCharArray());

  318.         assertNotNull(user);

  319.         assertEquals("blueone", user.username);

  320. 

  321.         user = htpasswd.authenticate("bluetwo", "YayBlue!".toCharArray());

  322.         assertNotNull(user);

  323.         assertEquals("bluetwo", user.username);

  324.     }

  325. 

  326. 

  327.     @Test

  328.     public void testChangeHtpasswdFileNotExisting()

  329.     {

  330.         UserModel user;

  331. 

  332.         // User default set up.

  333.         user = htpasswd.authenticate("md5", "password".toCharArray());

  334.         assertNotNull(user);

  335.         assertEquals("md5", user.username);

  336. 

  337.         user = htpasswd.authenticate("sha", "password".toCharArray());

  338.         assertNotNull(user);

  339.         assertEquals("sha", user.username);

  340. 

  341.         user = htpasswd.authenticate("blueone", "GoBlue!".toCharArray());

  342.         assertNull(user);

  343. 

  344.         user = htpasswd.authenticate("bluetwo", "YayBlue!".toCharArray());

  345.         assertNull(user);

  346. 

  347. 

  348.         // Switch to different htpasswd file that doesn't exist.

  349.         // Currently we stop working with old users upon this change.

  350.         getSettings(RESOURCE_DIR + "no-such-file", null, null);

  351. 

  352.         user = htpasswd.authenticate("md5", "password".toCharArray());

  353.         assertNull(user);

  354. 

  355.         user = htpasswd.authenticate("sha", "password".toCharArray());

  356.         assertNull(user);

  357. 

  358.         user = htpasswd.authenticate("blueone", "GoBlue!".toCharArray());

  359.         assertNull(user);

  360. 

  361.         user = htpasswd.authenticate("bluetwo", "YayBlue!".toCharArray());

  362.         assertNull(user);

  363.     }

  364. 

  365. }