[couchdb] branch main updated: Remove case sensitivity for basic auth and modify tests

Fri, 02 Jul 2021 04:21:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

iilyak pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb.git


The following commit(s) were added to refs/heads/main by this push:
     new f8583bf  Remove case sensitivity for basic auth and modify tests
     new 9b609f4  Merge pull request #3637 from 
noahshaw11/remove-case-sensitivity-for-basic-auth
f8583bf is described below

commit f8583bf590d245b1a67d26975199788db596c02f
Author: ncshaw <[email protected]>
AuthorDate: Tue Jun 22 16:23:18 2021 -0400

    Remove case sensitivity for basic auth and modify tests
---
 src/couch/src/couch_httpd_auth.erl            | 38 ++++++++++++++------------
 test/elixir/test/config/suite.elixir          |  3 +++
 test/elixir/test/security_validation_test.exs | 39 +++++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 17 deletions(-)

diff --git a/src/couch/src/couch_httpd_auth.erl 
b/src/couch/src/couch_httpd_auth.erl
index f0ca2d5..fd420bb 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -99,24 +99,28 @@ special_test_authentication_handler(Req) ->
 basic_name_pw(Req) ->
     AuthorizationHeader = header_value(Req, "Authorization"),
     case AuthorizationHeader of
-        "Basic " ++ Base64Value ->
-            try
-                re:split(
-                    base64:decode(Base64Value),
-                    ":",
-                    [{return, list}, {parts, 2}]
-                )
-            of
-                ["_", "_"] ->
-                    % special name and pass to be logged out
-                    nil;
-                [User, Pass] ->
-                    {User, Pass};
+        Header when is_list(Header) ->
+            [Basic, Base64Value] = string:split(Header, " "),
+            case string:casefold(Basic) of
+                "basic" ->
+                    try re:split(base64:decode(Base64Value), ":",
+                                    [{return, list}, {parts, 2}]) of
+                        ["_", "_"] ->
+                            % special name and pass to be logged out
+                            nil;
+                        [User, Pass] ->
+                            {User, Pass};
+                        _ ->
+                            nil
+                    catch
+                        error:function_clause ->
+                            throw({
+                                bad_request, 
+                                "Authorization header has invalid base64 value"
+                            })
+                    end;
                 _ ->
-                    nil
-            catch
-                error:function_clause ->
-                    throw({bad_request, "Authorization header has invalid 
base64 value"})
+                    throw({bad_request, "Authorization header is invalid"})
             end;
         _ ->
             nil
diff --git a/test/elixir/test/config/suite.elixir 
b/test/elixir/test/config/suite.elixir
index 7d2fc79..467ef2c 100644
--- a/test/elixir/test/config/suite.elixir
+++ b/test/elixir/test/config/suite.elixir
@@ -388,6 +388,9 @@
     "Ddoc writes with admin and replication contexts",
     "Force basic login",
     "Jerry can save a document normally",
+    "Jerry with lowercase 'Basic' auth can save a document normally",
+    "Jerry with uppercase 'Basic' auth can save a document normally",
+    "Jerry with mixed case 'Basic' auth can save a document normally",
     "Non-admin user cannot save a ddoc",
     "Saving document using the wrong credentials",
     "_session API",
diff --git a/test/elixir/test/security_validation_test.exs 
b/test/elixir/test/security_validation_test.exs
index dddf7a7..cfab242 100644
--- a/test/elixir/test/security_validation_test.exs
+++ b/test/elixir/test/security_validation_test.exs
@@ -25,6 +25,18 @@ defmodule SecurityValidationTest do
     spike: [
       # spike:dog
       authorization: "Basic c3Bpa2U6ZG9n"
+    ],
+    jerry_lowercase_basic: [
+      # jerry:mouse with lowercase 'Basic'
+      authorization: "basic amVycnk6bW91c2U="
+    ],
+    jerry_uppercase_basic: [
+      # jerry:mouse with uppercase 'Basic'
+      authorization: "BASIC amVycnk6bW91c2U="
+    ],
+    jerry_mixed_case_basic: [
+      # jerry:mouse with mixed case 'Basic'
+      authorization: "BAsIc amVycnk6bW91c2U="
     ]
   }
 
@@ -113,6 +125,33 @@ defmodule SecurityValidationTest do
   end
 
   @tag :with_db
+  test "Jerry with lowercase 'Basic' auth can save a document normally", 
context do
+    headers = @auth_headers[:jerry_lowercase_basic]
+    assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == 
"jerry"
+
+    doc = %{_id: "testdoc1", foo: 1, author: "jerry"}
+    assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+  end
+
+  @tag :with_db
+  test "Jerry with uppercase 'Basic' auth can save a document normally", 
context do
+    headers = @auth_headers[:jerry_uppercase_basic]
+    assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == 
"jerry"
+
+    doc = %{_id: "testdoc2", foo: 1, author: "jerry"}
+    assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+  end
+
+  @tag :with_db
+  test "Jerry with mixed case 'Basic' auth can save a document normally", 
context do
+    headers = @auth_headers[:jerry_mixed_case_basic]
+    assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == 
"jerry"
+
+    doc = %{_id: "testdoc3", foo: 1, author: "jerry"}
+    assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+  end
+
+  @tag :with_db
   test "Non-admin user cannot save a ddoc", context do
     headers = @auth_headers[:jerry]
     resp = Couch.post("/#{context[:db_name]}", body: @ddoc, headers: headers)

Reply via email to