Merge pull request #1444

bdc3d749 Adding HTTP Digest Auth (but not yet enabled) (Lee Clagett)
This commit is contained in:
Riccardo Spagni 2016-12-15 14:25:49 +02:00
commit aa47ea41a7
No known key found for this signature in database
GPG key ID: 55432DF31CCD4FCD
12 changed files with 1165 additions and 7 deletions

View file

@ -26,5 +26,6 @@
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
add_subdirectory(epee)
add_subdirectory(otshell_utils)

View file

@ -0,0 +1,30 @@
# Copyright (c) 2014-2016, The Monero Project
#
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are
# permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this list of
# conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice, this list
# of conditions and the following disclaimer in the documentation and/or other
# materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors may be
# used to endorse or promote products derived from this software without specific
# prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
# THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
add_subdirectory(src)

View file

@ -683,7 +683,7 @@ PRAGMA_WARNING_DISABLE_VS(4355)
m_sock_count(0), m_sock_number(0), m_threads_count(0),
m_pfilter(NULL), m_thread_index(0),
m_connection_type( connection_type ),
new_connection_(new connection<t_protocol_handler>(io_service_, m_config, m_sock_count, m_sock_number, m_pfilter, m_connection_type))
new_connection_()
{
create_server_type_map();
m_thread_name_prefix = "NET";
@ -697,7 +697,7 @@ PRAGMA_WARNING_DISABLE_VS(4355)
m_sock_count(0), m_sock_number(0), m_threads_count(0),
m_pfilter(NULL), m_thread_index(0),
m_connection_type(connection_type),
new_connection_(new connection<t_protocol_handler>(io_service_, m_config, m_sock_count, m_sock_number, m_pfilter, connection_type))
new_connection_()
{
create_server_type_map();
m_thread_name_prefix = "NET";
@ -736,6 +736,7 @@ PRAGMA_WARNING_DISABLE_VS(4355)
boost::asio::ip::tcp::endpoint binded_endpoint = acceptor_.local_endpoint();
m_port = binded_endpoint.port();
_fact_c("net/RPClog", "start accept");
new_connection_.reset(new connection<t_protocol_handler>(io_service_, m_config, m_sock_count, m_sock_number, m_pfilter, m_connection_type));
acceptor_.async_accept(new_connection_->socket(),
boost::bind(&boosted_tcp_server<t_protocol_handler>::handle_accept, this,
boost::asio::placeholders::error));
@ -1051,7 +1052,7 @@ POP_WARNINGS
}
else
{
_erro("[sock " << new_connection_->socket().native_handle() << "] Failed to start connection, connections_count = " << m_sock_count);
_erro("[sock " << new_connection_l->socket().native_handle() << "] Failed to start connection, connections_count = " << m_sock_count);
}
new_connection_l->save_dbg_log();

View file

@ -0,0 +1,81 @@
// Copyright (c) 2014-2016, The Monero Project
//
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are
// permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
// of conditions and the following disclaimer in the documentation and/or other
// materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors may be
// used to endorse or promote products derived from this software without specific
// prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#pragma once
#include <boost/optional/optional.hpp>
#include <cstdint>
#include "http_base.h"
#include <string>
#include <utility>
namespace epee
{
namespace net_utils
{
namespace http
{
//! Implements RFC 2617 digest auth. Digests from RFC 7616 can be added.
class http_auth
{
public:
struct login
{
login() = delete;
std::string username;
std::string password;
};
struct session
{
session() = delete;
const login credentials;
std::string nonce;
std::uint32_t counter;
};
http_auth() : user() {}
http_auth(login credentials);
//! \return Auth response, or `boost::none` iff `request` had valid auth.
boost::optional<http_response_info> get_response(const http_request_info& request)
{
if (user)
{
return process(request);
}
return boost::none;
}
private:
boost::optional<http_response_info> process(const http_request_info& request);
boost::optional<session> user;
};
}
}
}

View file

@ -30,9 +30,11 @@
#ifndef _HTTP_SERVER_H_
#define _HTTP_SERVER_H_
#include <boost/optional/optional.hpp>
#include <string>
#include "net_utils_base.h"
#include "to_nonconst_iterator.h"
#include "http_auth.h"
#include "http_base.h"
namespace epee
@ -50,6 +52,7 @@ namespace net_utils
{
std::string m_folder;
std::string m_required_user_agent;
boost::optional<http_auth::login> m_user;
critical_section m_lock;
};
@ -169,11 +172,20 @@ namespace net_utils
http_custom_handler(i_service_endpoint* psnd_hndlr, config_type& config, t_connection_context& conn_context)
: simple_http_connection_handler<t_connection_context>(psnd_hndlr, config),
m_config(config),
m_conn_context(conn_context)
m_conn_context(conn_context),
m_auth(m_config.m_user ? http_auth{*m_config.m_user} : http_auth{})
{}
inline bool handle_request(const http_request_info& query_info, http_response_info& response)
{
CHECK_AND_ASSERT_MES(m_config.m_phandler, false, "m_config.m_phandler is NULL!!!!");
const auto auth_response = m_auth.get_response(query_info);
if (auth_response)
{
response = std::move(*auth_response);
return true;
}
//fill with default values
response.m_mime_tipe = "text/plain";
response.m_response_code = 200;
@ -202,6 +214,7 @@ namespace net_utils
//simple_http_connection_handler::config_type m_stub_config;
config_type& m_config;
t_connection_context& m_conn_context;
http_auth m_auth;
};
}
}

View file

@ -52,7 +52,8 @@ namespace epee
: m_net_server(external_io_service)
{}
bool init(const std::string& bind_port = "0", const std::string& bind_ip = "0.0.0.0", const std::string &user_agent = "")
bool init(const std::string& bind_port = "0", const std::string& bind_ip = "0.0.0.0",
std::string user_agent = "", boost::optional<net_utils::http::http_auth::login> user = boost::none)
{
//set self as callback handler
@ -62,7 +63,8 @@ namespace epee
m_net_server.get_config_object().m_folder = "";
// workaround till we get auth/encryption
m_net_server.get_config_object().m_required_user_agent = user_agent;
m_net_server.get_config_object().m_required_user_agent = std::move(user_agent);
m_net_server.get_config_object().m_user = std::move(user);
LOG_PRINT_L0("Binding on " << bind_ip << ":" << bind_port);
bool res = m_net_server.init_server(bind_port, bind_ip);

View file

@ -0,0 +1,29 @@
# Copyright (c) 2014-2016, The Monero Project
#
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are
# permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this list of
# conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice, this list
# of conditions and the following disclaimer in the documentation and/or other
# materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors may be
# used to endorse or promote products derived from this software without specific
# prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
# THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
add_library(epee STATIC http_auth.cpp)

View file

@ -0,0 +1,527 @@
// Copyright (c) 2014-2016, The Monero Project
//
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are
// permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
// of conditions and the following disclaimer in the documentation and/or other
// materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors may be
// used to endorse or promote products derived from this software without specific
// prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include "net/http_auth.h"
#include <array>
#include <boost/algorithm/string/predicate.hpp>
#include <boost/fusion/adapted/std_tuple.hpp>
#include <boost/fusion/algorithm/iteration/for_each.hpp>
#include <boost/fusion/algorithm/query/any.hpp>
#include <boost/range/algorithm/copy.hpp>
#include <boost/range/algorithm/find_if.hpp>
#include <boost/range/iterator_range_core.hpp>
#include <boost/range/join.hpp>
#include <boost/spirit/include/qi_alternative.hpp>
#include <boost/spirit/include/qi_and_predicate.hpp>
#include <boost/spirit/include/qi_char.hpp>
#include <boost/spirit/include/qi_char_class.hpp>
#include <boost/spirit/include/qi_difference.hpp>
#include <boost/spirit/include/qi_kleene.hpp>
#include <boost/spirit/include/qi_optional.hpp>
#include <boost/spirit/include/qi_parse.hpp>
#include <boost/spirit/include/qi_plus.hpp>
#include <boost/spirit/include/qi_no_case.hpp>
#include <boost/spirit/include/qi_raw.hpp>
#include <boost/spirit/include/qi_rule.hpp>
#include <boost/spirit/include/qi_sequence.hpp>
#include <boost/spirit/include/qi_string.hpp>
#include <boost/spirit/include/qi_symbols.hpp>
#include <boost/spirit/include/qi_uint.hpp>
#include <boost/utility/string_ref.hpp>
#include <cassert>
#include <functional>
#include <iterator>
#include <tuple>
#include <type_traits>
#include "crypto/crypto.h"
#include "md5_l.h"
#include "string_coding.h"
/* This file uses the `u8` prefix and specifies all chars by ASCII numeric
value. This is for maximum portability - C++ does not actually specify ASCII
as the encoding type for unprefixed string literals, etc. Although rare, the
effort required to support rare compiler encoding types is low.
Also be careful of qi::ascii character classes (`qi::asci::alpha`, etc.) -
non-ASCII characters will cause undefined behavior in the table lookup until
boost 1.60. The expression `&qi::ascii::char_` will fail on non-ASCII
characters without "consuming" the input character. */
namespace
{
// string_ref is only constexpr if length is given
template<std::size_t N>
constexpr boost::string_ref ceref(const char (&arg)[N])
{
return boost::string_ref(arg, N - 1);
}
constexpr const auto auth_realm = ceref(u8"monero-wallet-rpc");
constexpr const char comma = 44;
constexpr const char equal_sign = 61;
constexpr const char quote = 34;
constexpr const auto sess_algo = ceref(u8"-sess");
//// Digest Algorithms
template<std::size_t N>
std::array<char, N * 2> to_hex(const std::array<std::uint8_t, N>& digest) noexcept
{
static constexpr const char alphabet[] = u8"0123456789abcdef";
static_assert(sizeof(alphabet) == 17, "bad alphabet size");
// TODO upgrade (improve performance) of to hex in epee string tools
std::array<char, N * 2> out{{}};
auto current = out.begin();
for (const std::uint8_t byte : digest)
{
*current = alphabet[byte >> 4];
++current;
*current = alphabet[byte & 0x0F];
++current;
}
return out;
}
struct md5_
{
static constexpr const boost::string_ref name = ceref(u8"MD5");
struct update
{
template<typename T>
void operator()(const T& arg) const
{
const boost::iterator_range<const char*> data(boost::as_literal(arg));
md5::MD5Update(
std::addressof(ctx),
reinterpret_cast<const std::uint8_t*>(data.begin()),
data.size()
);
}
void operator()(const std::string& arg) const
{
(*this)(boost::string_ref(arg));
}
md5::MD5_CTX& ctx;
};
template<typename... T>
std::array<char, 32> operator()(const T&... args) const
{
md5::MD5_CTX ctx{};
md5::MD5Init(std::addressof(ctx));
boost::fusion::for_each(std::tie(args...), update{ctx});
std::array<std::uint8_t, 16> digest{{}};
md5::MD5Final(digest.data(), std::addressof(ctx));
return to_hex(digest);
}
};
constexpr const boost::string_ref md5_::name;
//! Digest Algorithms available for HTTP Digest Auth.
constexpr const std::tuple<md5_> digest_algorithms{};
//// Various String Parsing Utilities
struct ascii_tolower_
{
template<typename Char>
Char operator()(Char value) const noexcept
{
static_assert(std::is_integral<Char>::value, "only integral types supported");
return (65 <= value && value <= 90) ? (value + 32) : value;
}
};
constexpr const ascii_tolower_ ascii_tolower{};
struct ascii_iequal_
{
template<typename Char>
bool operator()(Char left, Char right) const noexcept
{
return ascii_tolower(left) == ascii_tolower(right);
}
};
constexpr const ascii_iequal_ ascii_iequal{};
//// Digest Authentication
struct auth_request
{
using iterator = const char*;
enum status{ kFail = 0, kStale, kPass };
static status verify(const std::string& method, const std::string& request,
const epee::net_utils::http::http_auth::session& user)
{
struct parser
{
using field_parser = std::function<bool(const parser&, iterator&, iterator, auth_request&)>;
explicit parser() : field_table(), skip_whitespace(), header(), token(), fields() {
using namespace std::placeholders;
namespace qi = boost::spirit::qi;
struct parse_nc
{
bool operator()(const parser&, iterator& current, const iterator end, auth_request& result) const
{
return qi::parse(
current, end,
(qi::raw[qi::uint_parser<std::uint32_t, 16, 8, 8>{}]),
result.nc
);
}
};
struct parse_token
{
bool operator()(const parser& parse, iterator& current, const iterator end,
boost::iterator_range<iterator>& result) const
{
return qi::parse(current, end, parse.token, result);
}
};
struct parse_string
{
bool operator()(const parser&, iterator& current, const iterator end,
boost::iterator_range<iterator>& result) const
{
return qi::parse(
current, end,
(qi::lit(quote) >> qi::raw[+(u8"\\\"" | (qi::ascii::char_ - quote))] >> qi::lit(quote)),
result
);
}
};
struct parse_response
{
bool operator()(const parser&, iterator& current, const iterator end, auth_request& result) const
{
using byte = qi::uint_parser<std::uint8_t, 16, 2, 2>;
return qi::parse(
current, end,
(qi::lit(quote) >> qi::raw[+(byte{})] >> qi::lit(quote)),
result.response
);
}
};
field_table.add
(u8"algorithm", std::bind(parse_token{}, _1, _2, _3, std::bind(&auth_request::algorithm, _4)))
(u8"cnonce", std::bind(parse_string{}, _1, _2, _3, std::bind(&auth_request::cnonce, _4)))
(u8"nc", parse_nc{})
(u8"nonce", std::bind(parse_string{}, _1, _2, _3, std::bind(&auth_request::nonce, _4)))
(u8"qop", std::bind(parse_token{}, _1, _2, _3, std::bind(&auth_request::qop, _4)))
(u8"realm", std::bind(parse_string{}, _1, _2, _3, std::bind(&auth_request::realm, _4)))
(u8"response", parse_response{})
(u8"uri", std::bind(parse_string{}, _1, _2, _3, std::bind(&auth_request::uri, _4)))
(u8"username", std::bind(parse_string{}, _1, _2, _3, std::bind(&auth_request::username, _4)));
skip_whitespace = *(&qi::ascii::char_ >> qi::ascii::space);
header = skip_whitespace >> qi::ascii::no_case[u8"digest"] >> skip_whitespace;
token =
-qi::lit(quote) >>
qi::raw[+(&qi::ascii::char_ >> (qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}")))] >>
-qi::lit(quote);
fields = field_table >> skip_whitespace >> equal_sign >> skip_whitespace;
}
boost::optional<auth_request> operator()(const std::string& method, const std::string& request) const
{
namespace qi = boost::spirit::qi;
iterator current = request.data();
const iterator end = current + request.size();
if (!qi::parse(current, end, header))
{
return boost::none;
}
auth_request info(method);
field_parser null_parser{};
std::reference_wrapper<const field_parser> field = null_parser;
do // require at least one field; require field after `,` character
{
if (!qi::parse(current, end, fields, field) || !field(*this, current, end, info))
{
return boost::none;
}
qi::parse(current, end, skip_whitespace);
} while (qi::parse(current, end, qi::char_(comma) >> skip_whitespace));
return boost::make_optional(current == end, info);
}
private:
boost::spirit::qi::symbols<
char, field_parser, boost::spirit::qi::tst<char, field_parser>, ascii_tolower_
> field_table;
boost::spirit::qi::rule<iterator> skip_whitespace;
boost::spirit::qi::rule<iterator> header;
boost::spirit::qi::rule<iterator, boost::iterator_range<iterator>()> token;
boost::spirit::qi::rule<iterator, std::reference_wrapper<const field_parser>()> fields;
}; // parser
static const parser parse;
return do_verify(parse(method, request), user);
}
private:
explicit auth_request(const std::string& method_)
: algorithm()
, cnonce()
, method(method_)
, nc()
, nonce()
, qop()
, realm()
, response()
, uri()
, username() {
}
struct has_valid_response
{
template<typename Digest, typename Result>
Result generate_old_response(Digest digest, const Result& key, const Result& auth) const
{
return digest(key, u8":", request.nonce, u8":", auth);
}
template<typename Digest, typename Result>
Result generate_new_response(Digest digest, const Result& key, const Result& auth) const
{
return digest(
key, u8":", request.nonce, u8":", request.nc, u8":", request.cnonce, u8":", request.qop, u8":", auth
);
}
template<typename Digest>
typename std::result_of<Digest()>::type generate_auth(Digest digest) const
{
return digest(request.method, u8":", request.uri);
}
template<typename Result>
bool check(const Result& result) const
{
return boost::equals(request.response, result, ascii_iequal);
}
template<typename Digest>
bool operator()(const Digest& digest) const
{
if (boost::starts_with(request.algorithm, Digest::name, ascii_iequal) ||
(request.algorithm.empty() && std::is_same<md5_, Digest>::value))
{
auto key = digest(user.credentials.username, u8":", auth_realm, u8":", user.credentials.password);
if (boost::ends_with(request.algorithm, sess_algo, ascii_iequal))
{
key = digest(key, u8":", request.nonce, u8":", request.cnonce);
}
if (request.qop.empty())
{
return check(generate_old_response(digest, std::move(key), generate_auth(digest)));
}
else if (boost::equals(ceref(u8"auth"), request.qop, ascii_iequal))
{
return check(generate_new_response(digest, std::move(key), generate_auth(digest)));
}
}
return false;
}
const auth_request& request;
const epee::net_utils::http::http_auth::session& user;
};
static status do_verify(const boost::optional<auth_request>& request,
const epee::net_utils::http::http_auth::session& user)
{
if (request &&
boost::equals(request->username, user.credentials.username) &&
boost::fusion::any(digest_algorithms, has_valid_response{*request, user}))
{
if (boost::equals(request->nonce, user.nonce))
{
// RFC 2069 format does not verify nc value - allow just once
if (user.counter == 1 || (!request->qop.empty() && request->counter() == user.counter))
{
return kPass;
}
}
return kStale;
}
return kFail;
}
boost::optional<std::uint32_t> counter() const
{
namespace qi = boost::spirit::qi;
using hex = qi::uint_parser<std::uint32_t, 16>;
std::uint32_t value = 0;
const bool converted = qi::parse(nc.begin(), nc.end(), hex{}, value);
return boost::make_optional(converted, value);
}
boost::iterator_range<iterator> algorithm;
boost::iterator_range<iterator> cnonce;
boost::string_ref method;
boost::iterator_range<iterator> nc;
boost::iterator_range<iterator> nonce;
boost::iterator_range<iterator> qop;
boost::iterator_range<iterator> realm;
boost::iterator_range<iterator> response;
boost::iterator_range<iterator> uri;
boost::iterator_range<iterator> username;
}; // auth_request
struct add_challenge
{
template<typename T>
static void add_field(std::string& str, const char* const name, const T& value)
{
str.push_back(comma);
str.append(name);
str.push_back(equal_sign);
boost::range::copy(value, std::back_inserter(str));
}
template<typename T>
using quoted_result = boost::joined_range<
const boost::joined_range<const boost::string_ref, const T>, const boost::string_ref
>;
template<typename T>
static quoted_result<T> quoted(const T& arg)
{
return boost::range::join(boost::range::join(ceref(u8"\""), arg), ceref(u8"\""));
}
template<typename Digest>
void operator()(const Digest& digest) const
{
static constexpr const auto fname = ceref(u8"WWW-authenticate");
static constexpr const auto fvalue = ceref(u8"Digest qop=\"auth\"");
for (unsigned i = 0; i < 2; ++i)
{
std::string out(fvalue);
const auto algorithm = boost::range::join(
Digest::name, (i == 0 ? boost::string_ref{} : sess_algo)
);
add_field(out, u8"algorithm", algorithm);
add_field(out, u8"realm", quoted(auth_realm));
add_field(out, u8"nonce", quoted(nonce));
add_field(out, u8"stale", is_stale ? ceref("true") : ceref("false"));
fields.push_back(std::make_pair(std::string(fname), std::move(out)));
}
}
const std::string& nonce;
std::list<std::pair<std::string, std::string>>& fields;
const bool is_stale;
};
epee::net_utils::http::http_response_info create_digest_response(
const std::string& nonce, const bool is_stale)
{
epee::net_utils::http::http_response_info rc{};
rc.m_response_code = 401;
rc.m_response_comment = u8"Unauthorized";
rc.m_mime_tipe = u8"text/html";
rc.m_body =
u8"<html><head><title>Unauthorized Access</title></head><body><h1>401 Unauthorized</h1></body></html>";
boost::fusion::for_each(
digest_algorithms, add_challenge{nonce, rc.m_additional_fields, is_stale}
);
return rc;
}
}
namespace epee
{
namespace net_utils
{
namespace http
{
http_auth::http_auth(login credentials)
: user(session{std::move(credentials)}) {
}
boost::optional<http_response_info> http_auth::process(const http_request_info& request)
{
assert(user);
using field = std::pair<std::string, std::string>;
const std::list<field>& fields = request.m_header_info.m_etc_fields;
const auto auth = boost::find_if(fields, [] (const field& value) {
return boost::equals(ceref(u8"authorization"), value.first, ascii_iequal);
});
bool is_stale = false;
if (auth != fields.end())
{
++(user->counter);
switch (auth_request::verify(request.m_http_method_str, auth->second, *user))
{
case auth_request::kPass:
return boost::none;
case auth_request::kStale:
is_stale = true;
break;
default:
case auth_request::kFail:
break;
}
}
user->counter = 0;
{
std::array<std::uint8_t, 16> rand_128bit{{}};
crypto::rand(rand_128bit.size(), rand_128bit.data());
user->nonce = string_encoding::base64_encode(rand_128bit.data(), rand_128bit.size());
}
return create_digest_response(user->nonce, is_stale);
}
}
}
}

View file

@ -46,6 +46,7 @@ target_link_libraries(rpc
PUBLIC
cryptonote_core
cryptonote_protocol
epee
${Boost_THREAD_LIBRARY}
PRIVATE
${EXTRA_LIBRARIES})

View file

@ -34,7 +34,6 @@ set(wallet_sources
password_container.cpp
wallet2.cpp
wallet_args.cpp
wallet_rpc_server.cpp
api/wallet.cpp
api/wallet_manager.cpp
api/transaction_info.cpp
@ -103,6 +102,7 @@ if (NOT BUILD_GUI_DEPS)
target_link_libraries(wallet_rpc_server
PRIVATE
wallet
epee
rpc
cryptonote_core
crypto

View file

@ -42,6 +42,7 @@ set(unit_tests_sources
epee_levin_protocol_handler_async.cpp
fee.cpp
get_xtype_from_string.cpp
http_auth.cpp
main.cpp
mnemonics.cpp
mul_div.cpp
@ -73,6 +74,7 @@ target_link_libraries(unit_tests
rpc
wallet
p2p
epee
${GTEST_LIBRARIES}
${CMAKE_THREAD_LIBS_INIT}
${EXTRA_LIBRARIES})

View file

@ -0,0 +1,471 @@
// Copyright (c) 2014-2016, The Monero Project
//
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification, are
// permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this list of
// conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice, this list
// of conditions and the following disclaimer in the documentation and/or other
// materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors may be
// used to endorse or promote products derived from this software without specific
// prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#include "gtest/gtest.h"
#include "net/http_auth.h"
#include <boost/algorithm/string/predicate.hpp>
#include <boost/fusion/adapted/std_pair.hpp>
#include <boost/range/algorithm/find_if.hpp>
#include <boost/range/iterator_range_core.hpp>
#include <boost/spirit/include/karma_char.hpp>
#include <boost/spirit/include/karma_list.hpp>
#include <boost/spirit/include/karma_generate.hpp>
#include <boost/spirit/include/karma_right_alignment.hpp>
#include <boost/spirit/include/karma_sequence.hpp>
#include <boost/spirit/include/karma_string.hpp>
#include <boost/spirit/include/karma_uint.hpp>
#include <boost/spirit/include/qi_alternative.hpp>
#include <boost/spirit/include/qi_char.hpp>
#include <boost/spirit/include/qi_char_class.hpp>
#include <boost/spirit/include/qi_difference.hpp>
#include <boost/spirit/include/qi_eoi.hpp>
#include <boost/spirit/include/qi_list.hpp>
#include <boost/spirit/include/qi_parse.hpp>
#include <boost/spirit/include/qi_plus.hpp>
#include <boost/spirit/include/qi_sequence.hpp>
#include <boost/spirit/include/qi_string.hpp>
#include <cstdint>
#include <iterator>
#include <string>
#include <unordered_map>
#include <utility>
#include <vector>
#include "md5_l.h"
#include "string_tools.h"
namespace {
using fields = std::unordered_map<std::string, std::string>;
using auth_responses = std::vector<fields>;
std::string quoted(std::string str)
{
str.insert(str.begin(), '"');
str.push_back('"');
return str;
}
epee::net_utils::http::http_request_info make_request(const fields& args)
{
namespace karma = boost::spirit::karma;
std::string out{" DIGEST "};
karma::generate(
std::back_inserter(out),
(karma::string << " = " << karma::string) % " , ",
args);
epee::net_utils::http::http_request_info request{};
request.m_http_method_str = "NOP";
request.m_header_info.m_etc_fields.push_back(
std::make_pair(u8"authorization", std::move(out))
);
return request;
}
bool has_same_fields(const auth_responses& in)
{
const std::vector<std::string> check{u8"nonce", u8"qop", u8"realm", u8"stale"};
auto current = in.begin();
const auto end = in.end();
if (current == end)
return true;
++current;
for ( ; current != end; ++current )
{
for (const auto& field : check)
{
const std::string& expected = in[0].at(field);
const std::string& actual = current->at(field);
EXPECT_EQ(expected, actual);
if (expected != actual)
return false;
}
}
return true;
}
bool is_unauthorized(const epee::net_utils::http::http_response_info& response)
{
EXPECT_EQ(401, response.m_response_code);
EXPECT_STREQ(u8"Unauthorized", response.m_response_comment.c_str());
EXPECT_STREQ(u8"text/html", response.m_mime_tipe.c_str());
return response.m_response_code == 401 &&
response.m_response_comment == u8"Unauthorized" &&
response.m_mime_tipe == u8"text/html";
}
auth_responses parse_response(const epee::net_utils::http::http_response_info& response)
{
namespace qi = boost::spirit::qi;
auth_responses result{};
const auto end = response.m_additional_fields.end();
for (auto current = response.m_additional_fields.begin(); current != end; ++current)
{
current = std::find_if(current, end, [] (const std::pair<std::string, std::string>& field) {
return boost::iequals(u8"www-authenticate", field.first);
});
if (current == end)
return result;
std::unordered_map<std::string, std::string> fields{};
const bool rc = qi::parse(
current->second.begin(), current->second.end(),
qi::lit(u8"Digest ") >> ((
+qi::ascii::alpha >>
qi::lit('=') >> (
(qi::lit('"') >> +(qi::ascii::char_ - '"') >> qi::lit('"')) |
+(qi::ascii::graph - qi::ascii::char_(u8"()<>@,;:\\\"/[]?={}"))
)
) % ','
) >> qi::eoi,
fields
);
if (rc)
result.push_back(std::move(fields));
}
return result;
}
std::string md5_hex(const std::string& in)
{
md5::MD5_CTX ctx{};
md5::MD5Init(std::addressof(ctx));
md5::MD5Update(
std::addressof(ctx),
reinterpret_cast<const std::uint8_t*>(in.data()),
in.size()
);
std::array<std::uint8_t, 16> digest{{}};
md5::MD5Final(digest.data(), std::addressof(ctx));
return epee::string_tools::pod_to_hex(digest);
}
std::string get_a1(const epee::net_utils::http::http_auth::login& user, const auth_responses& responses)
{
const std::string& realm = responses.at(0).at(u8"realm");
return boost::join(
std::vector<std::string>{user.username, realm, user.password}, u8":"
);
}
std::string get_a1_sess(const epee::net_utils::http::http_auth::login& user, const std::string& cnonce, const auth_responses& responses)
{
const std::string& nonce = responses.at(0).at(u8"nonce");
return boost::join(
std::vector<std::string>{md5_hex(get_a1(user, responses)), nonce, cnonce}, u8":"
);
}
std::string get_a2(const std::string& uri)
{
return boost::join(std::vector<std::string>{"NOP", uri}, u8":");
}
std::string get_nc(std::uint32_t count)
{
namespace karma = boost::spirit::karma;
std::string out;
karma::generate(
std::back_inserter(out),
karma::right_align(8, '0')[karma::uint_generator<std::uint32_t, 16>{}],
count
);
return out;
}
}
TEST(HTTP_Auth, NotRequired)
{
epee::net_utils::http::http_auth auth{};
EXPECT_FALSE(auth.get_response(epee::net_utils::http::http_request_info{}));
}
TEST(HTTP_Auth, MissingAuth)
{
epee::net_utils::http::http_auth auth{{"foo", "bar"}};
EXPECT_TRUE(auth.get_response(epee::net_utils::http::http_request_info{}));
{
epee::net_utils::http::http_request_info request{};
request.m_header_info.m_etc_fields.push_back({"\xFF", "\xFF"});
EXPECT_TRUE(auth.get_response(request));
}
}
TEST(HTTP_Auth, BadSyntax)
{
epee::net_utils::http::http_auth auth{{"foo", "bar"}};
EXPECT_TRUE(auth.get_response(make_request({{u8"algorithm", "fo\xFF"}})));
EXPECT_TRUE(auth.get_response(make_request({{u8"cnonce", "\"000\xFF\""}})));
EXPECT_TRUE(auth.get_response(make_request({{u8"cnonce \xFF =", "\"000\xFF\""}})));
EXPECT_TRUE(auth.get_response(make_request({{u8" \xFF cnonce", "\"000\xFF\""}})));
}
TEST(HTTP_Auth, MD5)
{
epee::net_utils::http::http_auth::login user{"foo", "bar"};
epee::net_utils::http::http_auth auth{user};
const auto response = auth.get_response(make_request({}));
ASSERT_TRUE(response);
EXPECT_TRUE(is_unauthorized(*response));
const auto fields = parse_response(*response);
ASSERT_LE(2u, fields.size());
EXPECT_TRUE(has_same_fields(fields));
const std::string& nonce = fields[0].at(u8"nonce");
EXPECT_EQ(24, nonce.size());
const std::string uri{"/some_foo_thing"};
const std::string a1 = get_a1(user, fields);
const std::string a2 = get_a2(uri);
const std::string auth_code = md5_hex(
boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
);
const auto request = make_request({
{u8"nonce", quoted(nonce)},
{u8"realm", quoted(fields[0].at(u8"realm"))},
{u8"response", quoted(auth_code)},
{u8"uri", quoted(uri)},
{u8"username", quoted(user.username)}
});
EXPECT_FALSE(auth.get_response(request));
const auto response2 = auth.get_response(request);
ASSERT_TRUE(response2);
EXPECT_TRUE(is_unauthorized(*response2));
const auto fields2 = parse_response(*response2);
ASSERT_LE(2u, fields2.size());
EXPECT_TRUE(has_same_fields(fields2));
EXPECT_NE(nonce, fields2[0].at(u8"nonce"));
EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
}
TEST(HTTP_Auth, MD5_sess)
{
constexpr const char cnonce[] = "not a good cnonce";
epee::net_utils::http::http_auth::login user{"foo", "bar"};
epee::net_utils::http::http_auth auth{user};
const auto response = auth.get_response(make_request({}));
ASSERT_TRUE(response);
EXPECT_TRUE(is_unauthorized(*response));
const auto fields = parse_response(*response);
ASSERT_LE(2u, fields.size());
EXPECT_TRUE(has_same_fields(fields));
const std::string& nonce = fields[0].at(u8"nonce");
EXPECT_EQ(24, nonce.size());
const std::string uri{"/some_foo_thing"};
const std::string a1 = get_a1_sess(user, cnonce, fields);
const std::string a2 = get_a2(uri);
const std::string auth_code = md5_hex(
boost::join(std::vector<std::string>{md5_hex(a1), nonce, md5_hex(a2)}, u8":")
);
const auto request = make_request({
{u8"algorithm", u8"md5-sess"},
{u8"cnonce", quoted(cnonce)},
{u8"nonce", quoted(nonce)},
{u8"realm", quoted(fields[0].at(u8"realm"))},
{u8"response", quoted(auth_code)},
{u8"uri", quoted(uri)},
{u8"username", quoted(user.username)}
});
EXPECT_FALSE(auth.get_response(request));
const auto response2 = auth.get_response(request);
ASSERT_TRUE(response2);
EXPECT_TRUE(is_unauthorized(*response2));
const auto fields2 = parse_response(*response2);
ASSERT_LE(2u, fields2.size());
EXPECT_TRUE(has_same_fields(fields2));
EXPECT_NE(nonce, fields2[0].at(u8"nonce"));
EXPECT_STREQ(u8"true", fields2[0].at(u8"stale").c_str());
}
TEST(HTTP_Auth, MD5_auth)
{
constexpr const char cnonce[] = "not a nonce";
constexpr const char qop[] = "auth";
epee::net_utils::http::http_auth::login user{"foo", "bar"};
epee::net_utils::http::http_auth auth{user};
const auto response = auth.get_response(make_request({}));
ASSERT_TRUE(response);
EXPECT_TRUE(is_unauthorized(*response));
const auto parsed = parse_response(*response);
ASSERT_LE(2u, parsed.size());
EXPECT_TRUE(has_same_fields(parsed));
const std::string& nonce = parsed[0].at(u8"nonce");
EXPECT_EQ(24, nonce.size());
const std::string uri{"/some_foo_thing"};
const std::string a1 = get_a1(user, parsed);
const std::string a2 = get_a2(uri);
std::string nc = get_nc(1);
const auto generate_auth = [&] {
return md5_hex(
boost::join(
std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, qop, md5_hex(a2)}, u8":"
)
);
};
fields args{
{u8"algorithm", quoted(u8"md5")},
{u8"cnonce", quoted(cnonce)},
{u8"nc", nc},
{u8"nonce", quoted(nonce)},
{u8"qop", quoted(qop)},
{u8"realm", quoted(parsed[0].at(u8"realm"))},
{u8"response", quoted(generate_auth())},
{u8"uri", quoted(uri)},
{u8"username", quoted(user.username)}
};
const auto request = make_request(args);
EXPECT_FALSE(auth.get_response(request));
for (unsigned i = 2; i < 20; ++i)
{
nc = get_nc(i);
args.at(u8"nc") = nc;
args.at(u8"response") = quoted(generate_auth());
EXPECT_FALSE(auth.get_response(make_request(args)));
}
const auto replay = auth.get_response(request);
ASSERT_TRUE(replay);
EXPECT_TRUE(is_unauthorized(*replay));
const auto parsed_replay = parse_response(*replay);
ASSERT_LE(2u, parsed_replay.size());
EXPECT_TRUE(has_same_fields(parsed_replay));
EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce"));
EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
}
TEST(HTTP_Auth, MD5_sess_auth)
{
constexpr const char cnonce[] = "not a nonce";
constexpr const char qop[] = "auth";
epee::net_utils::http::http_auth::login user{"foo", "bar"};
epee::net_utils::http::http_auth auth{user};
const auto response = auth.get_response(make_request({}));
ASSERT_TRUE(response);
EXPECT_TRUE(is_unauthorized(*response));
const auto parsed = parse_response(*response);
ASSERT_LE(2u, parsed.size());
EXPECT_TRUE(has_same_fields(parsed));
const std::string& nonce = parsed[0].at(u8"nonce");
EXPECT_EQ(24, nonce.size());
const std::string uri{"/some_foo_thing"};
const std::string a1 = get_a1_sess(user, cnonce, parsed);
const std::string a2 = get_a2(uri);
std::string nc = get_nc(1);
const auto generate_auth = [&] {
return md5_hex(
boost::join(
std::vector<std::string>{md5_hex(a1), nonce, nc, cnonce, qop, md5_hex(a2)}, u8":"
)
);
};
fields args{
{u8"algorithm", u8"md5-sess"},
{u8"cnonce", quoted(cnonce)},
{u8"nc", nc},
{u8"nonce", quoted(nonce)},
{u8"qop", qop},
{u8"realm", quoted(parsed[0].at(u8"realm"))},
{u8"response", quoted(generate_auth())},
{u8"uri", quoted(uri)},
{u8"username", quoted(user.username)}
};
const auto request = make_request(args);
EXPECT_FALSE(auth.get_response(request));
for (unsigned i = 2; i < 20; ++i)
{
nc = get_nc(i);
args.at(u8"nc") = nc;
args.at(u8"response") = quoted(generate_auth());
EXPECT_FALSE(auth.get_response(make_request(args)));
}
const auto replay = auth.get_response(request);
ASSERT_TRUE(replay);
EXPECT_TRUE(is_unauthorized(*replay));
const auto parsed_replay = parse_response(*replay);
ASSERT_LE(2u, parsed_replay.size());
EXPECT_TRUE(has_same_fields(parsed_replay));
EXPECT_NE(nonce, parsed_replay[0].at(u8"nonce"));
EXPECT_STREQ(u8"true", parsed_replay[0].at(u8"stale").c_str());
}