geoff 2004/10/14 11:26:03
Modified: perl-framework/t/conf extra.conf.in Added: perl-framework/t/modules digest.t Log: AuthDigestEnableQueryStringHack tests I had sitting around Revision Changes Path 1.53 +23 -0 httpd-test/perl-framework/t/conf/extra.conf.in Index: extra.conf.in =================================================================== RCS file: /home/cvs/httpd-test/perl-framework/t/conf/extra.conf.in,v retrieving revision 1.52 retrieving revision 1.53 diff -u -r1.52 -r1.53 --- extra.conf.in 12 Oct 2004 13:53:41 -0000 1.52 +++ extra.conf.in 14 Oct 2004 18:26:03 -0000 1.53 @@ -396,6 +396,29 @@ </Directory> ## +## Digest test config +## +<IfDefine APACHE2> + <IfModule mod_auth_digest.c> + Alias /digest @DocumentRoot@ + <Location /digest> + Require valid-user + AuthType Digest + AuthName realm1 + # 2.0 + <IfModule mod_auth.c> + AuthDigestFile realm1 + </IfModule> + # 2.1 + <IfModule mod_authn_file.c> + AuthUserFile realm1 + </IfModule> + </Location> + SetEnvIf X-Browser "MSIE" AuthDigestEnableQueryStringHack=On + </IfModule> +</IfDefine> + +## ## ErrorDocument handling ## create it's own virtual host so it doesn't interfere ## with other tests for 404 messages 1.1 httpd-test/perl-framework/t/modules/digest.t Index: digest.t =================================================================== use strict; use warnings FATAL => 'all'; use Apache::Test; use Apache::TestRequest; use Apache::TestUtil qw(t_cmp t_write_file); use File::Spec; plan tests => 13, need need_lwp, need_module('mod_auth_digest'), need_min_apache_version('2.0.51'); my ($no_query_auth, $query_auth, $bad_query); # write out the authentication file my $file = File::Spec->catfile(Apache::Test::vars('serverroot'), 'realm1'); t_write_file($file, <DATA>); my $url = '/digest/index.html'; my $query = 'try=til%7Ede'; { my $response = GET $url; ok t_cmp($response->code, 401, 'no user to authenticate'); } { # bad pass my $response = GET $url, username => 'user1', password => 'foo'; ok t_cmp($response->code, 401, 'user1:foo not found'); } { # authenticated my $response = GET $url, username => 'user1', password => 'password1'; ok t_cmp($response->code, 200, 'user1:password1 found'); # set up for later $no_query_auth = $response->request->headers->authorization; } # now that we know normal digest auth works, play with the query string { # add a query string my $response = GET "$url?$query", username => 'user1', password => 'password1'; ok t_cmp($response->code, 200, 'user1:password1 with query string found'); # set up for later $query_auth = $response->request->headers->authorization; } { # do the auth header ourselves my $response = GET "$url?$query", Authorization => $query_auth; ok t_cmp($response->code, 200, 'manual Authorization header query string'); } { # remove the query string from the uri - bang! (my $noquery = $query_auth) =~ s!$query!!; my $response = GET "$url?$query", Authorization => $noquery; ok t_cmp($response->code, 400, 'manual Authorization with no query string in header'); } { # same with changing the query string in the header ($bad_query = $query_auth) =~ s!$query!something=else!; my $response = GET "$url?$query", Authorization => $bad_query; ok t_cmp($response->code, 400, 'manual Authorization header with mismatched query string'); } { # another mismatch my $response = GET $url, Authorization => $query_auth; ok t_cmp($response->code, 400, 'manual Authorization header with mismatched query string'); } # finally, the MSIE tests { # fake current MSIE behavior - this should work as of 2.0.51 my $response = GET "$url?$query", Authorization => $no_query_auth, 'X-Browser' => 'MSIE'; ok t_cmp($response->code, 200, 'manual Authorization with no query string in header + MSIE'); } { # pretend MSIE fixed itself my $response = GET "$url?$query", username => 'user1', password => 'password1', 'X-Browser' => 'MSIE'; ok t_cmp($response->code, 200, 'a compliant response coming from MSIE'); } { # this still bombs my $response = GET "$url?$query", Authorization => $bad_query, 'X-Browser' => 'MSIE'; ok t_cmp($response->code, 400, 'manual Authorization header with mismatched query string + MSIE'); } { # as does this my $response = GET $url, Authorization => $query_auth, 'X-Browser' => 'MSIE'; ok t_cmp($response->code, 400, 'manual Authorization header with mismatched query string + MSIE'); } { # no hack required my $response = GET $url, username => 'user1', password => 'password1', 'X-Browser' => 'MSIE'; ok t_cmp($response->code, 200, 'no query string + MSIE'); } __DATA__ # user1/password1 user1:realm1:4b5df5ee44449d6b5fbf026a7756e6ee