You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2022/08/25 17:29:28 UTC
[couchdb] branch main updated: Refactor hash algorithms test
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb.git
The following commit(s) were added to refs/heads/main by this push:
new ea382cf28 Refactor hash algorithms test
ea382cf28 is described below
commit ea382cf28111c2b31ddaaf9a04be20a34df454ec
Author: Ronny <ro...@apache.org>
AuthorDate: Thu Aug 25 19:29:22 2022 +0200
Refactor hash algorithms test
The test doesn't check if the hash algorithm is supported by the
erlang vm. The test for supported hash algorithms was only missing
in the test itself and not in CouchDB.
Refactor test and verify hash names during test runs.
---
.../eunit/chttpd_auth_hash_algorithms_tests.erl | 25 +++++++++-------
src/couch/include/couch_db.hrl | 2 ++
src/couch/src/couch_httpd_auth.erl | 35 ++--------------------
src/couch/src/couch_util.erl | 31 +++++++++++++++++++
4 files changed, 49 insertions(+), 44 deletions(-)
diff --git a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
index 3d872aa46..c78427d24 100644
--- a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
@@ -18,8 +18,8 @@
-define(ADM_USER, "adm_user").
-define(ADM_PASS, "adm_pass").
--define(ALLOWED_HASHES, "sha256, sha512, sha, blake2s").
--define(DISALLOWED_HASHES, "md4, md5, ripemd160").
+-define(WORKING_HASHES, "sha256, sha512, sha, blake2s").
+-define(FAILING_HASHES, "md4, md5, ripemd160").
hash_algorithms_test_() ->
{
@@ -43,12 +43,13 @@ setup() ->
config:set("admins", ?ADM_USER, ?b2l(Hashed), false),
config:set("chttpd_auth", "secret", NewSecret, false),
config:set("chttpd", "require_valid_user", "true", false),
- config:set("chttpd_auth", "hash_algorithms", ?ALLOWED_HASHES, false),
- AllowedHashes = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+ config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+ HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
trim, {return, binary}
]),
- DisallowedHashes = re:split(?DISALLOWED_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
- {Ctx, {AllowedHashes, DisallowedHashes}}.
+ HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ {Ctx, {HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}}.
teardown({Ctx, _}) ->
config:delete("chttpd_auth", "hash_algorithms", false),
@@ -83,7 +84,7 @@ test_hash_algorithm([], _) ->
test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Status) ->
CurrentTime = couch_httpd_auth:make_cookie_time(),
Cookie = make_auth_session_string(
- erlang:binary_to_existing_atom(DefaultHashAlgorithm),
+ DefaultHashAlgorithm,
?ADM_USER,
get_full_secret(?ADM_USER),
CurrentTime
@@ -92,8 +93,10 @@ test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Sta
?assertEqual(Status, ReqStatus),
test_hash_algorithm(DecodingHashAlgorithmsList, Status).
-test_hash_algorithms_should_work({_, {AllowedHashes, _}} = _) ->
- test_hash_algorithm(AllowedHashes, 200).
+test_hash_algorithms_should_work({_, {WorkingHashes, _, SupportedHashAlgorithms}} = _) ->
+ Hashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
+ test_hash_algorithm(Hashes, 200).
-test_hash_algorithms_should_fail({_, {_, DisallowedHashes}} = _) ->
- test_hash_algorithm(DisallowedHashes, 401).
+test_hash_algorithms_should_fail({_, {_, FailingHashes, SupportedHashAlgorithms}} = _) ->
+ Hashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
+ test_hash_algorithm(Hashes, 401).
diff --git a/src/couch/include/couch_db.hrl b/src/couch/include/couch_db.hrl
index 233836d16..e70706a7f 100644
--- a/src/couch/include/couch_db.hrl
+++ b/src/couch/include/couch_db.hrl
@@ -15,6 +15,8 @@
-define(DESIGN_DOC_PREFIX, "_design/").
-define(DEFAULT_COMPRESSION, snappy).
+-define(DEFAULT_HASH_ALGORITHM, sha256).
+
-define(MIN_STR, <<"">>).
-define(MAX_STR, <<255>>). % illegal utf string
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index e2cb02f8c..b3c984174 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -16,8 +16,6 @@
-include_lib("couch/include/couch_db.hrl").
--define(DEFAULT_HASH_ALGORITHM, sha256).
-
-export([party_mode_handler/1]).
-export([
@@ -298,7 +296,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} = Req, AuthModule) ->
end,
% Verify expiry and hash
CurrentTime = make_cookie_time(),
- HashAlgorithms = get_config_hash_algorithms(),
+ HashAlgorithms = couch_util:get_config_hash_algorithms(),
case chttpd_util:get_chttpd_auth_config("secret") of
undefined ->
couch_log:debug("cookie auth secret is not set", []),
@@ -373,7 +371,7 @@ cookie_auth_header(_Req, _Headers) ->
cookie_auth_cookie(Req, User, Secret, TimeStamp) ->
SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
- [HashAlgorithm | _] = get_config_hash_algorithms(),
+ [HashAlgorithm | _] = couch_util:get_config_hash_algorithms(),
Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData),
mochiweb_cookies:cookie(
"AuthSession",
@@ -702,32 +700,3 @@ authentication_warning(#httpd{mochi_req = Req}, User) ->
"~p: Authentication failed for user ~s from ~s",
[?MODULE, User, Peer]
).
-
-verify_hash_names(HashAlgorithms, SupportedHashFun) ->
- verify_hash_names(HashAlgorithms, SupportedHashFun, []).
-verify_hash_names([], _, HashNames) ->
- lists:reverse(HashNames);
-verify_hash_names([H | T], SupportedHashFun, HashNames) ->
- try
- HashAtom = binary_to_existing_atom(H),
- Result =
- case lists:member(HashAtom, SupportedHashFun) of
- true -> [HashAtom | HashNames];
- false -> HashNames
- end,
- verify_hash_names(T, SupportedHashFun, Result)
- catch
- error:badarg ->
- couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
- verify_hash_names(T, SupportedHashFun, HashNames)
- end.
-
--spec get_config_hash_algorithms() -> list(atom()).
-get_config_hash_algorithms() ->
- SupportedHashAlgorithms = crypto:supports(hashs),
- HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
- HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
- case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of
- [] -> [?DEFAULT_HASH_ALGORITHM];
- VerifiedHashNames -> VerifiedHashNames
- end.
diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl
index 84691d14e..e916bbc69 100644
--- a/src/couch/src/couch_util.erl
+++ b/src/couch/src/couch_util.erl
@@ -43,6 +43,8 @@
-export([set_process_priority/2]).
-export([hmac/3]).
-export([version_to_binary/1]).
+-export([verify_hash_names/2]).
+-export([get_config_hash_algorithms/0]).
-include_lib("couch/include/couch_db.hrl").
@@ -829,3 +831,32 @@ hex(X) ->
16#6530, 16#6531, 16#6532, 16#6533, 16#6534, 16#6535, 16#6536, 16#6537, 16#6538, 16#6539, 16#6561, 16#6562, 16#6563, 16#6564, 16#6565, 16#6566,
16#6630, 16#6631, 16#6632, 16#6633, 16#6634, 16#6635, 16#6636, 16#6637, 16#6638, 16#6639, 16#6661, 16#6662, 16#6663, 16#6664, 16#6665, 16#6666
}).
+
+verify_hash_names(HashAlgorithms, SupportedHashes) ->
+ verify_hash_names(HashAlgorithms, SupportedHashes, []).
+verify_hash_names([], _, HashNames) ->
+ lists:reverse(HashNames);
+verify_hash_names([H | T], SupportedHashes, HashNames) ->
+ try
+ HashAtom = binary_to_existing_atom(H),
+ Result =
+ case lists:member(HashAtom, SupportedHashes) of
+ true -> [HashAtom | HashNames];
+ false -> HashNames
+ end,
+ verify_hash_names(T, SupportedHashes, Result)
+ catch
+ error:badarg ->
+ couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
+ verify_hash_names(T, SupportedHashes, HashNames)
+ end.
+
+-spec get_config_hash_algorithms() -> list(atom()).
+get_config_hash_algorithms() ->
+ SupportedHashes = crypto:supports(hashs),
+ HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
+ HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
+ case verify_hash_names(HashAlgorithms, SupportedHashes) of
+ [] -> [?DEFAULT_HASH_ALGORITHM];
+ VerifiedHashNames -> VerifiedHashNames
+ end.