You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2022/08/25 08:14:49 UTC

[couchdb] 01/01: Refactor hash algorithms test for full CI run

This is an automated email from the ASF dual-hosted git repository.

ronny pushed a commit to branch fix-chttpd_auth_hash_algorithms
in repository https://gitbox.apache.org/repos/asf/couchdb.git

commit 6364547b40509e48e8cd68e6ed5a9aa4e6c15945
Author: Ronny Berndt <ro...@apache.org>
AuthorDate: Thu Aug 25 10:14:31 2022 +0200

    Refactor hash algorithms test for full CI run
    
    The test doesn't check if the hash algorithm is supported by the
    erlang vm. The test for supported hash algorithms was only missing
    in the test itself and not in CouchDB.
    Refactor test and verify hash names during test runs.
---
 .../eunit/chttpd_auth_hash_algorithms_tests.erl    | 28 ++++++++++-------
 src/couch/include/couch_db.hrl                     |  2 ++
 src/couch/src/couch_httpd_auth.erl                 | 35 ++--------------------
 src/couch/src/couch_util.erl                       | 31 +++++++++++++++++++
 4 files changed, 53 insertions(+), 43 deletions(-)

diff --git a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
index 3d872aa46..da431c9fe 100644
--- a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
@@ -18,8 +18,8 @@
 
 -define(ADM_USER, "adm_user").
 -define(ADM_PASS, "adm_pass").
--define(ALLOWED_HASHES, "sha256, sha512, sha, blake2s").
--define(DISALLOWED_HASHES, "md4, md5, ripemd160").
+-define(WORKING_HASHES, "sha256, sha512, sha, blake2s").
+-define(FAILING_HASHES, "md4, md5, ripemd160").
 
 hash_algorithms_test_() ->
     {
@@ -43,12 +43,13 @@ setup() ->
     config:set("admins", ?ADM_USER, ?b2l(Hashed), false),
     config:set("chttpd_auth", "secret", NewSecret, false),
     config:set("chttpd", "require_valid_user", "true", false),
-    config:set("chttpd_auth", "hash_algorithms", ?ALLOWED_HASHES, false),
-    AllowedHashes = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+    config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+    HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
         trim, {return, binary}
     ]),
-    DisallowedHashes = re:split(?DISALLOWED_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
-    {Ctx, {AllowedHashes, DisallowedHashes}}.
+    HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+    SupportedHashAlgorithms = crypto:supports(hashs),
+    {Ctx, {HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}}.
 
 teardown({Ctx, _}) ->
     config:delete("chttpd_auth", "hash_algorithms", false),
@@ -65,7 +66,12 @@ base_url() ->
 
 make_auth_session_string(HashAlgorithm, User, Secret, TimeStamp) ->
     SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
-    Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData),
+    SupportedHashAlgorithms = crypto:supports(hashs),
+    Hash =
+        case lists:member(HashAlgorithm, SupportedHashAlgorithms) of
+            true -> couch_util:hmac(HashAlgorithm, Secret, SessionData);
+            false -> couch_util:hmac(?DEFAULT_HASH_ALGORITHM, Secret, SessionData)
+        end,
     "AuthSession=" ++ couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)).
 
 get_user_props(User) ->
@@ -83,7 +89,7 @@ test_hash_algorithm([], _) ->
 test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Status) ->
     CurrentTime = couch_httpd_auth:make_cookie_time(),
     Cookie = make_auth_session_string(
-        erlang:binary_to_existing_atom(DefaultHashAlgorithm),
+        DefaultHashAlgorithm,
         ?ADM_USER,
         get_full_secret(?ADM_USER),
         CurrentTime
@@ -92,8 +98,10 @@ test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Sta
     ?assertEqual(Status, ReqStatus),
     test_hash_algorithm(DecodingHashAlgorithmsList, Status).
 
-test_hash_algorithms_should_work({_, {AllowedHashes, _}} = _) ->
+test_hash_algorithms_should_work({_, {WorkingHashes, _, SupportedHashAlgorithms}} = _) ->
+    AllowedHashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
     test_hash_algorithm(AllowedHashes, 200).
 
-test_hash_algorithms_should_fail({_, {_, DisallowedHashes}} = _) ->
+test_hash_algorithms_should_fail({_, {_, FailingHashes, SupportedHashAlgorithms}} = _) ->
+    DisallowedHashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
     test_hash_algorithm(DisallowedHashes, 401).
diff --git a/src/couch/include/couch_db.hrl b/src/couch/include/couch_db.hrl
index 233836d16..e70706a7f 100644
--- a/src/couch/include/couch_db.hrl
+++ b/src/couch/include/couch_db.hrl
@@ -15,6 +15,8 @@
 -define(DESIGN_DOC_PREFIX, "_design/").
 -define(DEFAULT_COMPRESSION, snappy).
 
+-define(DEFAULT_HASH_ALGORITHM, sha256).
+
 -define(MIN_STR, <<"">>).
 -define(MAX_STR, <<255>>). % illegal utf string
 
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index e2cb02f8c..b3c984174 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -16,8 +16,6 @@
 
 -include_lib("couch/include/couch_db.hrl").
 
--define(DEFAULT_HASH_ALGORITHM, sha256).
-
 -export([party_mode_handler/1]).
 
 -export([
@@ -298,7 +296,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} = Req, AuthModule) ->
                 end,
             % Verify expiry and hash
             CurrentTime = make_cookie_time(),
-            HashAlgorithms = get_config_hash_algorithms(),
+            HashAlgorithms = couch_util:get_config_hash_algorithms(),
             case chttpd_util:get_chttpd_auth_config("secret") of
                 undefined ->
                     couch_log:debug("cookie auth secret is not set", []),
@@ -373,7 +371,7 @@ cookie_auth_header(_Req, _Headers) ->
 
 cookie_auth_cookie(Req, User, Secret, TimeStamp) ->
     SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
-    [HashAlgorithm | _] = get_config_hash_algorithms(),
+    [HashAlgorithm | _] = couch_util:get_config_hash_algorithms(),
     Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData),
     mochiweb_cookies:cookie(
         "AuthSession",
@@ -702,32 +700,3 @@ authentication_warning(#httpd{mochi_req = Req}, User) ->
         "~p: Authentication failed for user ~s from ~s",
         [?MODULE, User, Peer]
     ).
-
-verify_hash_names(HashAlgorithms, SupportedHashFun) ->
-    verify_hash_names(HashAlgorithms, SupportedHashFun, []).
-verify_hash_names([], _, HashNames) ->
-    lists:reverse(HashNames);
-verify_hash_names([H | T], SupportedHashFun, HashNames) ->
-    try
-        HashAtom = binary_to_existing_atom(H),
-        Result =
-            case lists:member(HashAtom, SupportedHashFun) of
-                true -> [HashAtom | HashNames];
-                false -> HashNames
-            end,
-        verify_hash_names(T, SupportedHashFun, Result)
-    catch
-        error:badarg ->
-            couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
-            verify_hash_names(T, SupportedHashFun, HashNames)
-    end.
-
--spec get_config_hash_algorithms() -> list(atom()).
-get_config_hash_algorithms() ->
-    SupportedHashAlgorithms = crypto:supports(hashs),
-    HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
-    HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
-    case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of
-        [] -> [?DEFAULT_HASH_ALGORITHM];
-        VerifiedHashNames -> VerifiedHashNames
-    end.
diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl
index 84691d14e..5512c07da 100644
--- a/src/couch/src/couch_util.erl
+++ b/src/couch/src/couch_util.erl
@@ -43,6 +43,8 @@
 -export([set_process_priority/2]).
 -export([hmac/3]).
 -export([version_to_binary/1]).
+-export([verify_hash_names/2]).
+-export([get_config_hash_algorithms/0]).
 
 -include_lib("couch/include/couch_db.hrl").
 
@@ -829,3 +831,32 @@ hex(X) ->
         16#6530, 16#6531, 16#6532, 16#6533, 16#6534, 16#6535, 16#6536, 16#6537, 16#6538, 16#6539, 16#6561, 16#6562, 16#6563, 16#6564, 16#6565, 16#6566,
         16#6630, 16#6631, 16#6632, 16#6633, 16#6634, 16#6635, 16#6636, 16#6637, 16#6638, 16#6639, 16#6661, 16#6662, 16#6663, 16#6664, 16#6665, 16#6666
     }).
+
+verify_hash_names(HashAlgorithms, SupportedHashFun) ->
+    verify_hash_names(HashAlgorithms, SupportedHashFun, []).
+verify_hash_names([], _, HashNames) ->
+    lists:reverse(HashNames);
+verify_hash_names([H | T], SupportedHashFun, HashNames) ->
+    try
+        HashAtom = binary_to_existing_atom(H),
+        Result =
+            case lists:member(HashAtom, SupportedHashFun) of
+                true -> [HashAtom | HashNames];
+                false -> HashNames
+            end,
+        verify_hash_names(T, SupportedHashFun, Result)
+    catch
+        error:badarg ->
+            couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
+            verify_hash_names(T, SupportedHashFun, HashNames)
+    end.
+
+-spec get_config_hash_algorithms() -> list(atom()).
+get_config_hash_algorithms() ->
+    SupportedHashAlgorithms = crypto:supports(hashs),
+    HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
+    HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
+    case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of
+        [] -> [?DEFAULT_HASH_ALGORITHM];
+        VerifiedHashNames -> VerifiedHashNames
+    end.