io.undertow.server.security.DigestAuthenticationAuthTestCase.java Source code

Java tutorial

Introduction

Here is the source code for io.undertow.server.security.DigestAuthenticationAuthTestCase.java

Source

/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2014 Red Hat, Inc., and individual contributors
 * as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package io.undertow.server.security;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityNotification.EventType;
import io.undertow.security.idm.DigestAlgorithm;
import io.undertow.security.impl.AuthenticationInfoToken;
import io.undertow.security.impl.DigestAuthenticationMechanism;
import io.undertow.security.impl.DigestAuthorizationToken;
import io.undertow.security.impl.DigestQop;
import io.undertow.security.impl.DigestWWWAuthenticateToken;
import io.undertow.security.impl.SimpleNonceManager;
import io.undertow.testutils.DefaultServer;
import io.undertow.testutils.TestHttpClient;
import io.undertow.util.HexConverter;
import io.undertow.util.StatusCodes;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.junit.Test;
import org.junit.runner.RunWith;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Random;

import static io.undertow.util.Headers.AUTHORIZATION;
import static io.undertow.util.Headers.DIGEST;
import static io.undertow.util.Headers.WWW_AUTHENTICATE;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;

/**
 * Test case for Digest authentication based on RFC2617 with QOP of auth.
 *
 * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
 */
@RunWith(DefaultServer.class)
public class DigestAuthenticationAuthTestCase extends AuthenticationTestBase {

    private static final Charset UTF_8 = StandardCharsets.UTF_8;
    private static final String REALM_NAME = "Digest_Realm";
    private static final String ZERO = "00000000";

    static AuthenticationMechanism getTestMechanism() {
        return new DigestAuthenticationMechanism(Collections.singletonList(DigestAlgorithm.MD5),
                Collections.singletonList(DigestQop.AUTH), REALM_NAME, "/", new SimpleNonceManager());
    }

    /**
     * @see io.undertow.server.security.AuthenticationTestBase#getTestMechanisms()
     */
    @Override
    protected List<AuthenticationMechanism> getTestMechanisms() {
        AuthenticationMechanism mechanism = getTestMechanism();

        return Collections.singletonList(mechanism);
    }

    private static String createNonce() {
        // This if just for testing so we are not concerned with how securely the client side nonce is.
        Random rand = new Random();
        byte[] nonceBytes = new byte[32];
        rand.nextBytes(nonceBytes);

        return HexConverter.convertToHexString(nonceBytes);
    }

    /**
     * Creates a response value from the supplied parameters.
     *
     * @return The generated Hex encoded MD5 digest based response.
     */
    private static String createResponse(final String userName, final String realm, final String password,
            final String method, final String uri, final String nonce, final String nonceCount, final String cnonce)
            throws Exception {
        MessageDigest digest = MessageDigest.getInstance("MD5");
        digest.update(userName.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(realm.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(password.getBytes(UTF_8));

        byte[] ha1 = HexConverter.convertToHexBytes(digest.digest());

        digest.update(method.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(uri.getBytes(UTF_8));

        byte[] ha2 = HexConverter.convertToHexBytes(digest.digest());

        digest.update(ha1);
        digest.update((byte) ':');
        digest.update(nonce.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(nonceCount.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(cnonce.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(DigestQop.AUTH.getToken().getBytes(UTF_8));
        digest.update((byte) ':');

        digest.update(ha2);

        return HexConverter.convertToHexString(digest.digest());
    }

    private static String createRspAuth(final String userName, final String realm, final String password,
            final String uri, final String nonce, final String nonceCount, final String cnonce) throws Exception {
        MessageDigest digest = MessageDigest.getInstance("MD5");
        digest.update(userName.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(realm.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(password.getBytes(UTF_8));

        byte[] ha1 = HexConverter.convertToHexBytes(digest.digest());

        digest.update((byte) ':');
        digest.update(uri.getBytes(UTF_8));

        byte[] ha2 = HexConverter.convertToHexBytes(digest.digest());

        digest.update(ha1);
        digest.update((byte) ':');
        digest.update(nonce.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(nonceCount.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(cnonce.getBytes(UTF_8));
        digest.update((byte) ':');
        digest.update(DigestQop.AUTH.getToken().getBytes(UTF_8));
        digest.update((byte) ':');

        digest.update(ha2);

        return HexConverter.convertToHexString(digest.digest());
    }

    private static String createAuthorizationLine(final String userName, final String password, final String method,
            final String uri, final String nonce, final int nonceCount, final String cnonce, final String opaque)
            throws Exception {
        StringBuilder sb = new StringBuilder(DIGEST.toString());
        sb.append(" ");
        sb.append(DigestAuthorizationToken.USERNAME.getName()).append("=").append("\"userOne\"").append(",");
        sb.append(DigestAuthorizationToken.REALM.getName()).append("=\"").append(REALM_NAME).append("\",");
        sb.append(DigestAuthorizationToken.NONCE.getName()).append("=\"").append(nonce).append("\",");
        sb.append(DigestAuthorizationToken.DIGEST_URI.getName()).append("=\"/\",");
        String nonceCountHex = toHex(nonceCount);
        String response = createResponse(userName, REALM_NAME, password, method, uri, nonce, nonceCountHex, cnonce);
        sb.append(DigestAuthorizationToken.RESPONSE.getName()).append("=\"").append(response).append("\",");
        sb.append(DigestAuthorizationToken.ALGORITHM.getName()).append("=\"").append(DigestAlgorithm.MD5.getToken())
                .append("\",");
        sb.append(DigestAuthorizationToken.CNONCE.getName()).append("=\"").append(cnonce).append("\",");
        sb.append(DigestAuthorizationToken.OPAQUE.getName()).append("=\"").append(opaque).append("\",");
        sb.append(DigestAuthorizationToken.MESSAGE_QOP.getName()).append("=\"").append(DigestQop.AUTH.getToken())
                .append("\",");
        sb.append(DigestAuthorizationToken.NONCE_COUNT.getName()).append("=").append(nonceCountHex);

        return sb.toString();
    }

    private static String toHex(final int number) {
        String temp = Integer.toHexString(number);

        return ZERO.substring(temp.length()) + temp;
    }

    /**
     * Test for a successful authentication.
     *
     * Also makes two additional calls to demonstrate nonce re-use with an incrementing nonce count.
     */
    @Test
    public void testDigestSuccess() throws Exception {
        _testDigestSuccess();
    }

    static void _testDigestSuccess() throws Exception {
        TestHttpClient client = new TestHttpClient();
        HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
        HttpResponse result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
        String value = getAuthHeader(DIGEST, values);

        Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken
                .parseHeader(value.substring(7));
        assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
        assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
        assertEquals(DigestQop.AUTH.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.MESSAGE_QOP));

        String clientNonce = createNonce();
        int nonceCount = 1;
        String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
        String opaque = parsedHeader.get(DigestWWWAuthenticateToken.OPAQUE);
        assertNotNull(opaque);
        // Send 5 requests with an incrementing nonce count on each call.
        for (int i = 0; i < 5; i++) {
            client = new TestHttpClient();
            get = new HttpGet(DefaultServer.getDefaultServerURL());

            int thisNonceCount = nonceCount++;
            String authorization = createAuthorizationLine("userOne", "passwordOne", "GET", "/", nonce,
                    thisNonceCount, clientNonce, opaque);

            get.addHeader(AUTHORIZATION.toString(), authorization);
            result = client.execute(get);
            assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());

            values = result.getHeaders("ProcessedBy");
            assertEquals(1, values.length);
            assertEquals("ResponseHandler", values[0].getValue());
            assertSingleNotificationType(EventType.AUTHENTICATED);

            values = result.getHeaders("Authentication-Info");
            assertEquals(1, values.length);
            Map<AuthenticationInfoToken, String> parsedAuthInfo = AuthenticationInfoToken
                    .parseHeader(values[0].getValue());

            assertEquals("Didn't expect a new nonce.", nonce,
                    parsedAuthInfo.get(AuthenticationInfoToken.NEXT_NONCE));
            assertEquals(DigestQop.AUTH.getToken(), parsedAuthInfo.get(AuthenticationInfoToken.MESSAGE_QOP));
            String nonceCountString = toHex(thisNonceCount);
            assertEquals(
                    createRspAuth("userOne", REALM_NAME, "passwordOne", "/", nonce, nonceCountString, clientNonce),
                    parsedAuthInfo.get(AuthenticationInfoToken.RESPONSE_AUTH));
            assertEquals(clientNonce, parsedAuthInfo.get(AuthenticationInfoToken.CNONCE));
            assertEquals(nonceCountString, parsedAuthInfo.get(AuthenticationInfoToken.NONCE_COUNT));
        }
    }

    /**
     * Test for a failed authentication where a bad username is provided.
     */
    @Test
    public void testBadUsername() throws Exception {
        _testBadUsername();
    }

    static void _testBadUsername() throws Exception {
        TestHttpClient client = new TestHttpClient();
        HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
        HttpResponse result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());

        String value = getAuthHeader(DIGEST, values);

        Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken
                .parseHeader(value.substring(7));
        assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
        assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
        assertEquals(DigestQop.AUTH.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.MESSAGE_QOP));

        String clientNonce = createNonce();
        int nonceCount = 1;
        String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
        String opaque = parsedHeader.get(DigestWWWAuthenticateToken.OPAQUE);
        assertNotNull(opaque);

        client = new TestHttpClient();
        get = new HttpGet(DefaultServer.getDefaultServerURL());

        int thisNonceCount = nonceCount++;
        String authorization = createAuthorizationLine("noUser", "passwordOne", "GET", "/", nonce, thisNonceCount,
                clientNonce, opaque);

        get.addHeader(AUTHORIZATION.toString(), authorization);
        result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        assertSingleNotificationType(EventType.FAILED_AUTHENTICATION);
    }

    /**
     * Test for a failed authentication where a bad password is provided.
     */
    @Test
    public void testBadPassword() throws Exception {
        _testBadPassword();
    }

    static void _testBadPassword() throws Exception {
        TestHttpClient client = new TestHttpClient();
        HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
        HttpResponse result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());

        String value = getAuthHeader(DIGEST, values);

        Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken
                .parseHeader(value.substring(7));
        assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
        assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
        assertEquals(DigestQop.AUTH.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.MESSAGE_QOP));

        String clientNonce = createNonce();
        int nonceCount = 1;
        String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
        String opaque = parsedHeader.get(DigestWWWAuthenticateToken.OPAQUE);
        assertNotNull(opaque);

        client = new TestHttpClient();
        get = new HttpGet(DefaultServer.getDefaultServerURL());

        int thisNonceCount = nonceCount++;
        String authorization = createAuthorizationLine("userOne", "badPassword", "GET", "/", nonce, thisNonceCount,
                clientNonce, opaque);

        get.addHeader(AUTHORIZATION.toString(), authorization);
        result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        assertSingleNotificationType(EventType.FAILED_AUTHENTICATION);
    }

    /**
     * Test for a failed authentication where a bad nonce is provided.
     */
    @Test
    public void testBadNonce() throws Exception {
        _testBadNonce();
    }

    static void _testBadNonce() throws Exception {
        TestHttpClient client = new TestHttpClient();
        HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
        HttpResponse result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());

        String value = getAuthHeader(DIGEST, values);

        Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken
                .parseHeader(value.substring(7));
        assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
        assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
        assertEquals(DigestQop.AUTH.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.MESSAGE_QOP));

        String clientNonce = createNonce();
        int nonceCount = 1;
        String nonce = "AU1aCIiy48ENMTM1MTE3OTUxMDU2OLrHnBlV2GBzzguCWOPET+0=";
        String opaque = parsedHeader.get(DigestWWWAuthenticateToken.OPAQUE);
        assertNotNull(opaque);

        client = new TestHttpClient();
        get = new HttpGet(DefaultServer.getDefaultServerURL());

        int thisNonceCount = nonceCount++;
        String authorization = createAuthorizationLine("userOne", "badPassword", "GET", "/", nonce, thisNonceCount,
                clientNonce, opaque);

        get.addHeader(AUTHORIZATION.toString(), authorization);
        result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        assertSingleNotificationType(EventType.FAILED_AUTHENTICATION);
    }

    /**
     * Test for a failed authentication where the nonce count is re-used.
     *
     * Where a nonce count is used the nonce can now be re-used, however each time the nonce count must be different.
     */
    @Test
    public void testNonceCountReUse() throws Exception {
        _testNonceCountReUse();
    }

    static void _testNonceCountReUse() throws Exception {
        TestHttpClient client = new TestHttpClient();
        HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
        HttpResponse result = client.execute(get);
        assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
        Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());

        String value = getAuthHeader(DIGEST, values);

        Map<DigestWWWAuthenticateToken, String> parsedHeader = DigestWWWAuthenticateToken
                .parseHeader(value.substring(7));
        assertEquals(REALM_NAME, parsedHeader.get(DigestWWWAuthenticateToken.REALM));
        assertEquals(DigestAlgorithm.MD5.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.ALGORITHM));
        assertEquals(DigestQop.AUTH.getToken(), parsedHeader.get(DigestWWWAuthenticateToken.MESSAGE_QOP));

        String clientNonce = createNonce();
        int nonceCount = 1;
        String nonce = parsedHeader.get(DigestWWWAuthenticateToken.NONCE);
        String opaque = parsedHeader.get(DigestWWWAuthenticateToken.OPAQUE);
        assertNotNull(opaque);
        // Send 5 requests with an incrementing nonce count on each call.
        for (int i = 0; i < 2; i++) {
            client = new TestHttpClient();
            get = new HttpGet(DefaultServer.getDefaultServerURL());

            int thisNonceCount = nonceCount; // Note - No increment
            String authorization = createAuthorizationLine("userOne", "passwordOne", "GET", "/", nonce,
                    thisNonceCount, clientNonce, opaque);

            get.addHeader(AUTHORIZATION.toString(), authorization);
            result = client.execute(get);

            if (i == 0) {
                assertEquals(StatusCodes.OK, result.getStatusLine().getStatusCode());
                assertSingleNotificationType(EventType.AUTHENTICATED);

                values = result.getHeaders("ProcessedBy");
                assertEquals(1, values.length);
                assertEquals("ResponseHandler", values[0].getValue());

                values = result.getHeaders("Authentication-Info");
                assertEquals(1, values.length);
                Map<AuthenticationInfoToken, String> parsedAuthInfo = AuthenticationInfoToken
                        .parseHeader(values[0].getValue());

                assertEquals("Didn't expect a new nonce.", nonce,
                        parsedAuthInfo.get(AuthenticationInfoToken.NEXT_NONCE));
                assertEquals(DigestQop.AUTH.getToken(), parsedAuthInfo.get(AuthenticationInfoToken.MESSAGE_QOP));
                String nonceCountString = toHex(thisNonceCount);
                assertEquals(createRspAuth("userOne", REALM_NAME, "passwordOne", "/", nonce, nonceCountString,
                        clientNonce), parsedAuthInfo.get(AuthenticationInfoToken.RESPONSE_AUTH));
                assertEquals(clientNonce, parsedAuthInfo.get(AuthenticationInfoToken.CNONCE));
                assertEquals(nonceCountString, parsedAuthInfo.get(AuthenticationInfoToken.NONCE_COUNT));
            } else {
                assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
            }
        }
    }

}