http_test.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441
  1. package spnego
  2. import (
  3. "bytes"
  4. "crypto/rand"
  5. "encoding/base64"
  6. "encoding/hex"
  7. "errors"
  8. "fmt"
  9. "io"
  10. "io/ioutil"
  11. "log"
  12. "mime/multipart"
  13. "net/http"
  14. "net/http/cookiejar"
  15. "net/http/httptest"
  16. "os"
  17. "sync"
  18. "testing"
  19. "github.com/gorilla/sessions"
  20. "github.com/jcmturner/goidentity/v6"
  21. "github.com/jcmturner/gokrb5/v8/client"
  22. "github.com/jcmturner/gokrb5/v8/config"
  23. "github.com/jcmturner/gokrb5/v8/keytab"
  24. "github.com/jcmturner/gokrb5/v8/service"
  25. "github.com/jcmturner/gokrb5/v8/test"
  26. "github.com/jcmturner/gokrb5/v8/test/testdata"
  27. "github.com/stretchr/testify/assert"
  28. )
  29. func TestClient_SetSPNEGOHeader(t *testing.T) {
  30. test.Integration(t)
  31. b, _ := hex.DecodeString(testdata.KEYTAB_TESTUSER1_TEST_GOKRB5)
  32. kt := keytab.New()
  33. kt.Unmarshal(b)
  34. c, _ := config.NewFromString(testdata.KRB5_CONF)
  35. addr := os.Getenv("TEST_KDC_ADDR")
  36. if addr == "" {
  37. addr = testdata.KDC_IP_TEST_GOKRB5
  38. }
  39. c.Realms[0].KDC = []string{addr + ":" + testdata.KDC_PORT_TEST_GOKRB5}
  40. l := log.New(os.Stderr, "SPNEGO Client:", log.LstdFlags)
  41. cl := client.NewWithKeytab("testuser1", "TEST.GOKRB5", kt, c, client.Logger(l))
  42. err := cl.Login()
  43. if err != nil {
  44. t.Fatalf("error on AS_REQ: %v\n", err)
  45. }
  46. urls := []string{
  47. "http://cname.test.gokrb5",
  48. "http://host.test.gokrb5",
  49. }
  50. paths := []string{
  51. "/modkerb/index.html",
  52. //"/modgssapi/index.html",
  53. }
  54. for _, url := range urls {
  55. for _, p := range paths {
  56. r, _ := http.NewRequest("GET", url+p, nil)
  57. httpResp, err := http.DefaultClient.Do(r)
  58. if err != nil {
  59. t.Fatalf("%s request error: %v", url+p, err)
  60. }
  61. assert.Equal(t, http.StatusUnauthorized, httpResp.StatusCode, "Status code in response to client with no SPNEGO not as expected")
  62. err = SetSPNEGOHeader(cl, r, "")
  63. if err != nil {
  64. t.Fatalf("error setting client SPNEGO header: %v", err)
  65. }
  66. httpResp, err = http.DefaultClient.Do(r)
  67. if err != nil {
  68. t.Fatalf("%s request error: %v\n", url+p, err)
  69. }
  70. assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
  71. }
  72. }
  73. }
  74. func TestSPNEGOHTTPClient(t *testing.T) {
  75. test.Integration(t)
  76. b, _ := hex.DecodeString(testdata.KEYTAB_TESTUSER1_TEST_GOKRB5)
  77. kt := keytab.New()
  78. kt.Unmarshal(b)
  79. c, _ := config.NewFromString(testdata.KRB5_CONF)
  80. addr := os.Getenv("TEST_KDC_ADDR")
  81. if addr == "" {
  82. addr = testdata.KDC_IP_TEST_GOKRB5
  83. }
  84. c.Realms[0].KDC = []string{addr + ":" + testdata.KDC_PORT_TEST_GOKRB5}
  85. l := log.New(os.Stderr, "SPNEGO Client:", log.LstdFlags)
  86. cl := client.NewWithKeytab("testuser1", "TEST.GOKRB5", kt, c, client.Logger(l))
  87. err := cl.Login()
  88. if err != nil {
  89. t.Fatalf("error on AS_REQ: %v\n", err)
  90. }
  91. urls := []string{
  92. "http://cname.test.gokrb5",
  93. "http://host.test.gokrb5",
  94. }
  95. // This path issues a redirect which the http client will automatically follow.
  96. // It should cause a replay issue if the negInit token is sent in the first instance.
  97. paths := []string{
  98. "/modgssapi", // This issues a redirect which the http client will automatically follow. Could cause a replay issue
  99. "/redirect",
  100. }
  101. for _, url := range urls {
  102. for _, p := range paths {
  103. r, _ := http.NewRequest("GET", url+p, nil)
  104. httpCl := http.DefaultClient
  105. httpCl.CheckRedirect = func(req *http.Request, via []*http.Request) error {
  106. t.Logf("http client redirect: %+v", *req)
  107. return nil
  108. }
  109. spnegoCl := NewClient(cl, httpCl, "")
  110. httpResp, err := spnegoCl.Do(r)
  111. if err != nil {
  112. t.Fatalf("%s request error: %v", url+p, err)
  113. }
  114. assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
  115. }
  116. }
  117. }
  118. func TestService_SPNEGOKRB_NoAuthHeader(t *testing.T) {
  119. s := httpServer()
  120. defer s.Close()
  121. r, _ := http.NewRequest("GET", s.URL, nil)
  122. httpResp, err := http.DefaultClient.Do(r)
  123. if err != nil {
  124. t.Fatalf("Request error: %v\n", err)
  125. }
  126. assert.Equal(t, http.StatusUnauthorized, httpResp.StatusCode, "Status code in response to client with no SPNEGO not as expected")
  127. assert.Equal(t, "Negotiate", httpResp.Header.Get("WWW-Authenticate"), "Negotiation header not set by server.")
  128. }
  129. func TestService_SPNEGOKRB_ValidUser(t *testing.T) {
  130. test.Integration(t)
  131. s := httpServer()
  132. defer s.Close()
  133. r, _ := http.NewRequest("GET", s.URL, nil)
  134. cl := getClient()
  135. err := SetSPNEGOHeader(cl, r, "HTTP/host.test.gokrb5")
  136. if err != nil {
  137. t.Fatalf("error setting client's SPNEGO header: %v", err)
  138. }
  139. httpResp, err := http.DefaultClient.Do(r)
  140. if err != nil {
  141. t.Fatalf("Request error: %v\n", err)
  142. }
  143. assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
  144. }
  145. func TestService_SPNEGOKRB_ValidUser_RawKRB5Token(t *testing.T) {
  146. test.Integration(t)
  147. s := httpServer()
  148. defer s.Close()
  149. r, _ := http.NewRequest("GET", s.URL, nil)
  150. cl := getClient()
  151. sc := SPNEGOClient(cl, "HTTP/host.test.gokrb5")
  152. err := sc.AcquireCred()
  153. if err != nil {
  154. t.Fatalf("could not acquire client credential: %v", err)
  155. }
  156. st, err := sc.InitSecContext()
  157. if err != nil {
  158. t.Fatalf("could not initialize context: %v", err)
  159. }
  160. // Use the raw KRB5 context token
  161. nb := st.(*SPNEGOToken).NegTokenInit.MechTokenBytes
  162. hs := "Negotiate " + base64.StdEncoding.EncodeToString(nb)
  163. r.Header.Set(HTTPHeaderAuthRequest, hs)
  164. httpResp, err := http.DefaultClient.Do(r)
  165. if err != nil {
  166. t.Fatalf("Request error: %v\n", err)
  167. }
  168. assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
  169. }
  170. func TestService_SPNEGOKRB_Replay(t *testing.T) {
  171. test.Integration(t)
  172. s := httpServerWithoutSessionManager()
  173. defer s.Close()
  174. r1, _ := http.NewRequest("GET", s.URL, nil)
  175. cl := getClient()
  176. err := SetSPNEGOHeader(cl, r1, "HTTP/host.test.gokrb5")
  177. if err != nil {
  178. t.Fatalf("error setting client's SPNEGO header: %v", err)
  179. }
  180. // First request with this ticket should be accepted
  181. httpResp, err := http.DefaultClient.Do(r1)
  182. if err != nil {
  183. t.Fatalf("Request error: %v\n", err)
  184. }
  185. assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
  186. // Use ticket again should be rejected
  187. httpResp, err = http.DefaultClient.Do(r1)
  188. if err != nil {
  189. t.Fatalf("Request error: %v\n", err)
  190. }
  191. assert.Equal(t, http.StatusUnauthorized, httpResp.StatusCode, "Status code in response to client with no SPNEGO not as expected. Expected a replay to be detected.")
  192. // Form a 2nd ticket
  193. r2, _ := http.NewRequest("GET", s.URL, nil)
  194. err = SetSPNEGOHeader(cl, r2, "HTTP/host.test.gokrb5")
  195. if err != nil {
  196. t.Fatalf("error setting client's SPNEGO header: %v", err)
  197. }
  198. // First use of 2nd ticket should be accepted
  199. httpResp, err = http.DefaultClient.Do(r2)
  200. if err != nil {
  201. t.Fatalf("Request error: %v\n", err)
  202. }
  203. assert.Equal(t, http.StatusOK, httpResp.StatusCode, "Status code in response to client SPNEGO request not as expected")
  204. // Using the 1st ticket again should still be rejected
  205. httpResp, err = http.DefaultClient.Do(r1)
  206. if err != nil {
  207. t.Fatalf("Request error: %v\n", err)
  208. }
  209. assert.Equal(t, http.StatusUnauthorized, httpResp.StatusCode, "Status code in response to client with no SPNEGO not as expected. Expected a replay to be detected.")
  210. // Using the 2nd again should be rejected as replay
  211. httpResp, err = http.DefaultClient.Do(r2)
  212. if err != nil {
  213. t.Fatalf("Request error: %v\n", err)
  214. }
  215. assert.Equal(t, http.StatusUnauthorized, httpResp.StatusCode, "Status code in response to client with no SPNEGO not as expected. Expected a replay to be detected.")
  216. }
  217. func TestService_SPNEGOKRB_ReplayCache_Concurrency(t *testing.T) {
  218. test.Integration(t)
  219. s := httpServerWithoutSessionManager()
  220. defer s.Close()
  221. r1, _ := http.NewRequest("GET", s.URL, nil)
  222. cl := getClient()
  223. err := SetSPNEGOHeader(cl, r1, "HTTP/host.test.gokrb5")
  224. if err != nil {
  225. t.Fatalf("error setting client's SPNEGO header: %v", err)
  226. }
  227. r1h := r1.Header.Get(HTTPHeaderAuthRequest)
  228. r2, _ := http.NewRequest("GET", s.URL, nil)
  229. err = SetSPNEGOHeader(cl, r2, "HTTP/host.test.gokrb5")
  230. if err != nil {
  231. t.Fatalf("error setting client's SPNEGO header: %v", err)
  232. }
  233. r2h := r2.Header.Get(HTTPHeaderAuthRequest)
  234. // Concurrent 1st requests should be OK
  235. var wg sync.WaitGroup
  236. wg.Add(2)
  237. go httpGet(r1, &wg)
  238. go httpGet(r2, &wg)
  239. wg.Wait()
  240. // A number of concurrent requests with the same ticket should be rejected due to replay
  241. var wg2 sync.WaitGroup
  242. noReq := 10
  243. wg2.Add(noReq * 2)
  244. for i := 0; i < noReq; i++ {
  245. rr1, _ := http.NewRequest("GET", s.URL, nil)
  246. rr1.Header.Set(HTTPHeaderAuthRequest, r1h)
  247. rr2, _ := http.NewRequest("GET", s.URL, nil)
  248. rr2.Header.Set(HTTPHeaderAuthRequest, r2h)
  249. go httpGet(rr1, &wg2)
  250. go httpGet(rr2, &wg2)
  251. }
  252. wg2.Wait()
  253. }
  254. func TestService_SPNEGOKRB_Upload(t *testing.T) {
  255. test.Integration(t)
  256. s := httpServer()
  257. defer s.Close()
  258. bodyBuf := &bytes.Buffer{}
  259. bodyWriter := multipart.NewWriter(bodyBuf)
  260. fileWriter, err := bodyWriter.CreateFormFile("uploadfile", "testfile.bin")
  261. if err != nil {
  262. t.Fatalf("error writing to buffer: %v", err)
  263. }
  264. data := make([]byte, 10240)
  265. rand.Read(data)
  266. br := bytes.NewReader(data)
  267. _, err = io.Copy(fileWriter, br)
  268. if err != nil {
  269. t.Fatalf("error copying bytes: %v", err)
  270. }
  271. bodyWriter.Close()
  272. r, _ := http.NewRequest("POST", s.URL, bodyBuf)
  273. r.Header.Set("Content-Type", bodyWriter.FormDataContentType())
  274. cl := getClient()
  275. cookieJar, _ := cookiejar.New(nil)
  276. httpCl := http.DefaultClient
  277. httpCl.Jar = cookieJar
  278. spnegoCl := NewClient(cl, httpCl, "HTTP/host.test.gokrb5")
  279. httpResp, err := spnegoCl.Do(r)
  280. if err != nil {
  281. t.Fatalf("Request error: %v\n", err)
  282. }
  283. if httpResp.StatusCode != http.StatusOK {
  284. bodyBytes, _ := ioutil.ReadAll(httpResp.Body)
  285. bodyString := string(bodyBytes)
  286. httpResp.Body.Close()
  287. t.Errorf("unexpected code from http server (%d): %s", httpResp.StatusCode, bodyString)
  288. }
  289. }
  290. func httpGet(r *http.Request, wg *sync.WaitGroup) {
  291. defer wg.Done()
  292. http.DefaultClient.Do(r)
  293. }
  294. func httpServerWithoutSessionManager() *httptest.Server {
  295. l := log.New(os.Stderr, "GOKRB5 Service Tests: ", log.LstdFlags)
  296. b, _ := hex.DecodeString(testdata.HTTP_KEYTAB)
  297. kt := keytab.New()
  298. kt.Unmarshal(b)
  299. th := http.HandlerFunc(testAppHandler)
  300. s := httptest.NewServer(SPNEGOKRB5Authenticate(th, kt, service.Logger(l)))
  301. return s
  302. }
  303. func httpServer() *httptest.Server {
  304. l := log.New(os.Stderr, "GOKRB5 Service Tests: ", log.LstdFlags)
  305. b, _ := hex.DecodeString(testdata.HTTP_KEYTAB)
  306. kt := keytab.New()
  307. kt.Unmarshal(b)
  308. th := http.HandlerFunc(testAppHandler)
  309. s := httptest.NewServer(SPNEGOKRB5Authenticate(th, kt, service.Logger(l), service.SessionManager(NewSessionMgr("gokrb5"))))
  310. return s
  311. }
  312. func testAppHandler(w http.ResponseWriter, r *http.Request) {
  313. if r.Method == http.MethodPost {
  314. maxUploadSize := int64(11240)
  315. if err := r.ParseMultipartForm(maxUploadSize); err != nil {
  316. http.Error(w, fmt.Sprintf("cannot parse multipart form: %v", err), http.StatusBadRequest)
  317. return
  318. }
  319. r.Body = http.MaxBytesReader(w, r.Body, maxUploadSize)
  320. file, _, err := r.FormFile("uploadfile")
  321. if err != nil {
  322. http.Error(w, "INVALID_FILE", http.StatusBadRequest)
  323. return
  324. }
  325. defer file.Close()
  326. // write out to /dev/null
  327. _, err = io.Copy(ioutil.Discard, file)
  328. if err != nil {
  329. http.Error(w, "WRITE_ERR", http.StatusInternalServerError)
  330. return
  331. }
  332. }
  333. w.WriteHeader(http.StatusOK)
  334. id := goidentity.FromHTTPRequestContext(r)
  335. fmt.Fprintf(w, "<html>\nTEST.GOKRB5 Handler\nAuthenticed user: %s\nUser's realm: %s\n</html>",
  336. id.UserName(),
  337. id.Domain())
  338. return
  339. }
  340. func getClient() *client.Client {
  341. b, _ := hex.DecodeString(testdata.KEYTAB_TESTUSER1_TEST_GOKRB5)
  342. kt := keytab.New()
  343. kt.Unmarshal(b)
  344. c, _ := config.NewFromString(testdata.KRB5_CONF)
  345. c.LibDefaults.NoAddresses = true
  346. addr := os.Getenv("TEST_KDC_ADDR")
  347. if addr == "" {
  348. addr = testdata.KDC_IP_TEST_GOKRB5
  349. }
  350. c.Realms[0].KDC = []string{addr + ":" + testdata.KDC_PORT_TEST_GOKRB5}
  351. c.Realms[0].KPasswdServer = []string{addr + ":464"}
  352. cl := client.NewWithKeytab("testuser1", "TEST.GOKRB5", kt, c)
  353. return cl
  354. }
  355. type SessionMgr struct {
  356. skey []byte
  357. store sessions.Store
  358. cookieName string
  359. }
  360. func NewSessionMgr(cookieName string) SessionMgr {
  361. skey := []byte("thisistestsecret") // Best practice is to load this key from a secure location.
  362. return SessionMgr{
  363. skey: skey,
  364. store: sessions.NewCookieStore(skey),
  365. cookieName: cookieName,
  366. }
  367. }
  368. func (smgr SessionMgr) Get(r *http.Request, k string) ([]byte, error) {
  369. s, err := smgr.store.Get(r, smgr.cookieName)
  370. if err != nil {
  371. return nil, err
  372. }
  373. if s == nil {
  374. return nil, errors.New("nil session")
  375. }
  376. b, ok := s.Values[k].([]byte)
  377. if !ok {
  378. return nil, fmt.Errorf("could not get bytes held in session at %s", k)
  379. }
  380. return b, nil
  381. }
  382. func (smgr SessionMgr) New(w http.ResponseWriter, r *http.Request, k string, v []byte) error {
  383. s, err := smgr.store.New(r, smgr.cookieName)
  384. if err != nil {
  385. return fmt.Errorf("could not get new session from session manager: %v", err)
  386. }
  387. s.Values[k] = v
  388. return s.Save(r, w)
  389. }