You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2022/08/25 17:29:28 UTC

[couchdb] branch main updated: Refactor hash algorithms test

This is an automated email from the ASF dual-hosted git repository.

ronny pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb.git


The following commit(s) were added to refs/heads/main by this push:
     new ea382cf28 Refactor hash algorithms test
ea382cf28 is described below

commit ea382cf28111c2b31ddaaf9a04be20a34df454ec
Author: Ronny <ro...@apache.org>
AuthorDate: Thu Aug 25 19:29:22 2022 +0200

    Refactor hash algorithms test
    
    The test doesn't check if the hash algorithm is supported by the
    erlang vm. The test for supported hash algorithms was only missing
    in the test itself and not in CouchDB.
    Refactor test and verify hash names during test runs.
---
 .../eunit/chttpd_auth_hash_algorithms_tests.erl    | 25 +++++++++-------
 src/couch/include/couch_db.hrl                     |  2 ++
 src/couch/src/couch_httpd_auth.erl                 | 35 ++--------------------
 src/couch/src/couch_util.erl                       | 31 +++++++++++++++++++
 4 files changed, 49 insertions(+), 44 deletions(-)

diff --git a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
index 3d872aa46..c78427d24 100644
--- a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
@@ -18,8 +18,8 @@
 
 -define(ADM_USER, "adm_user").
 -define(ADM_PASS, "adm_pass").
--define(ALLOWED_HASHES, "sha256, sha512, sha, blake2s").
--define(DISALLOWED_HASHES, "md4, md5, ripemd160").
+-define(WORKING_HASHES, "sha256, sha512, sha, blake2s").
+-define(FAILING_HASHES, "md4, md5, ripemd160").
 
 hash_algorithms_test_() ->
     {
@@ -43,12 +43,13 @@ setup() ->
     config:set("admins", ?ADM_USER, ?b2l(Hashed), false),
     config:set("chttpd_auth", "secret", NewSecret, false),
     config:set("chttpd", "require_valid_user", "true", false),
-    config:set("chttpd_auth", "hash_algorithms", ?ALLOWED_HASHES, false),
-    AllowedHashes = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+    config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+    HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
         trim, {return, binary}
     ]),
-    DisallowedHashes = re:split(?DISALLOWED_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
-    {Ctx, {AllowedHashes, DisallowedHashes}}.
+    HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+    SupportedHashAlgorithms = crypto:supports(hashs),
+    {Ctx, {HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}}.
 
 teardown({Ctx, _}) ->
     config:delete("chttpd_auth", "hash_algorithms", false),
@@ -83,7 +84,7 @@ test_hash_algorithm([], _) ->
 test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Status) ->
     CurrentTime = couch_httpd_auth:make_cookie_time(),
     Cookie = make_auth_session_string(
-        erlang:binary_to_existing_atom(DefaultHashAlgorithm),
+        DefaultHashAlgorithm,
         ?ADM_USER,
         get_full_secret(?ADM_USER),
         CurrentTime
@@ -92,8 +93,10 @@ test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Sta
     ?assertEqual(Status, ReqStatus),
     test_hash_algorithm(DecodingHashAlgorithmsList, Status).
 
-test_hash_algorithms_should_work({_, {AllowedHashes, _}} = _) ->
-    test_hash_algorithm(AllowedHashes, 200).
+test_hash_algorithms_should_work({_, {WorkingHashes, _, SupportedHashAlgorithms}} = _) ->
+    Hashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
+    test_hash_algorithm(Hashes, 200).
 
-test_hash_algorithms_should_fail({_, {_, DisallowedHashes}} = _) ->
-    test_hash_algorithm(DisallowedHashes, 401).
+test_hash_algorithms_should_fail({_, {_, FailingHashes, SupportedHashAlgorithms}} = _) ->
+    Hashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
+    test_hash_algorithm(Hashes, 401).
diff --git a/src/couch/include/couch_db.hrl b/src/couch/include/couch_db.hrl
index 233836d16..e70706a7f 100644
--- a/src/couch/include/couch_db.hrl
+++ b/src/couch/include/couch_db.hrl
@@ -15,6 +15,8 @@
 -define(DESIGN_DOC_PREFIX, "_design/").
 -define(DEFAULT_COMPRESSION, snappy).
 
+-define(DEFAULT_HASH_ALGORITHM, sha256).
+
 -define(MIN_STR, <<"">>).
 -define(MAX_STR, <<255>>). % illegal utf string
 
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index e2cb02f8c..b3c984174 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -16,8 +16,6 @@
 
 -include_lib("couch/include/couch_db.hrl").
 
--define(DEFAULT_HASH_ALGORITHM, sha256).
-
 -export([party_mode_handler/1]).
 
 -export([
@@ -298,7 +296,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} = Req, AuthModule) ->
                 end,
             % Verify expiry and hash
             CurrentTime = make_cookie_time(),
-            HashAlgorithms = get_config_hash_algorithms(),
+            HashAlgorithms = couch_util:get_config_hash_algorithms(),
             case chttpd_util:get_chttpd_auth_config("secret") of
                 undefined ->
                     couch_log:debug("cookie auth secret is not set", []),
@@ -373,7 +371,7 @@ cookie_auth_header(_Req, _Headers) ->
 
 cookie_auth_cookie(Req, User, Secret, TimeStamp) ->
     SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
-    [HashAlgorithm | _] = get_config_hash_algorithms(),
+    [HashAlgorithm | _] = couch_util:get_config_hash_algorithms(),
     Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData),
     mochiweb_cookies:cookie(
         "AuthSession",
@@ -702,32 +700,3 @@ authentication_warning(#httpd{mochi_req = Req}, User) ->
         "~p: Authentication failed for user ~s from ~s",
         [?MODULE, User, Peer]
     ).
-
-verify_hash_names(HashAlgorithms, SupportedHashFun) ->
-    verify_hash_names(HashAlgorithms, SupportedHashFun, []).
-verify_hash_names([], _, HashNames) ->
-    lists:reverse(HashNames);
-verify_hash_names([H | T], SupportedHashFun, HashNames) ->
-    try
-        HashAtom = binary_to_existing_atom(H),
-        Result =
-            case lists:member(HashAtom, SupportedHashFun) of
-                true -> [HashAtom | HashNames];
-                false -> HashNames
-            end,
-        verify_hash_names(T, SupportedHashFun, Result)
-    catch
-        error:badarg ->
-            couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
-            verify_hash_names(T, SupportedHashFun, HashNames)
-    end.
-
--spec get_config_hash_algorithms() -> list(atom()).
-get_config_hash_algorithms() ->
-    SupportedHashAlgorithms = crypto:supports(hashs),
-    HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
-    HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
-    case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of
-        [] -> [?DEFAULT_HASH_ALGORITHM];
-        VerifiedHashNames -> VerifiedHashNames
-    end.
diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl
index 84691d14e..e916bbc69 100644
--- a/src/couch/src/couch_util.erl
+++ b/src/couch/src/couch_util.erl
@@ -43,6 +43,8 @@
 -export([set_process_priority/2]).
 -export([hmac/3]).
 -export([version_to_binary/1]).
+-export([verify_hash_names/2]).
+-export([get_config_hash_algorithms/0]).
 
 -include_lib("couch/include/couch_db.hrl").
 
@@ -829,3 +831,32 @@ hex(X) ->
         16#6530, 16#6531, 16#6532, 16#6533, 16#6534, 16#6535, 16#6536, 16#6537, 16#6538, 16#6539, 16#6561, 16#6562, 16#6563, 16#6564, 16#6565, 16#6566,
         16#6630, 16#6631, 16#6632, 16#6633, 16#6634, 16#6635, 16#6636, 16#6637, 16#6638, 16#6639, 16#6661, 16#6662, 16#6663, 16#6664, 16#6665, 16#6666
     }).
+
+verify_hash_names(HashAlgorithms, SupportedHashes) ->
+    verify_hash_names(HashAlgorithms, SupportedHashes, []).
+verify_hash_names([], _, HashNames) ->
+    lists:reverse(HashNames);
+verify_hash_names([H | T], SupportedHashes, HashNames) ->
+    try
+        HashAtom = binary_to_existing_atom(H),
+        Result =
+            case lists:member(HashAtom, SupportedHashes) of
+                true -> [HashAtom | HashNames];
+                false -> HashNames
+            end,
+        verify_hash_names(T, SupportedHashes, Result)
+    catch
+        error:badarg ->
+            couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
+            verify_hash_names(T, SupportedHashes, HashNames)
+    end.
+
+-spec get_config_hash_algorithms() -> list(atom()).
+get_config_hash_algorithms() ->
+    SupportedHashes = crypto:supports(hashs),
+    HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
+    HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
+    case verify_hash_names(HashAlgorithms, SupportedHashes) of
+        [] -> [?DEFAULT_HASH_ALGORITHM];
+        VerifiedHashNames -> VerifiedHashNames
+    end.