You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2022/08/25 08:14:48 UTC
[couchdb] branch fix-chttpd_auth_hash_algorithms created (now 6364547b4)
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a change to branch fix-chttpd_auth_hash_algorithms
in repository https://gitbox.apache.org/repos/asf/couchdb.git
at 6364547b4 Refactor hash algorithms test for full CI run
This branch includes the following new commits:
new 6364547b4 Refactor hash algorithms test for full CI run
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[couchdb] 01/01: Refactor hash algorithms test for full CI run
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a commit to branch fix-chttpd_auth_hash_algorithms
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 6364547b40509e48e8cd68e6ed5a9aa4e6c15945
Author: Ronny Berndt <ro...@apache.org>
AuthorDate: Thu Aug 25 10:14:31 2022 +0200
Refactor hash algorithms test for full CI run
The test doesn't check if the hash algorithm is supported by the
erlang vm. The test for supported hash algorithms was only missing
in the test itself and not in CouchDB.
Refactor test and verify hash names during test runs.
---
.../eunit/chttpd_auth_hash_algorithms_tests.erl | 28 ++++++++++-------
src/couch/include/couch_db.hrl | 2 ++
src/couch/src/couch_httpd_auth.erl | 35 ++--------------------
src/couch/src/couch_util.erl | 31 +++++++++++++++++++
4 files changed, 53 insertions(+), 43 deletions(-)
diff --git a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
index 3d872aa46..da431c9fe 100644
--- a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
@@ -18,8 +18,8 @@
-define(ADM_USER, "adm_user").
-define(ADM_PASS, "adm_pass").
--define(ALLOWED_HASHES, "sha256, sha512, sha, blake2s").
--define(DISALLOWED_HASHES, "md4, md5, ripemd160").
+-define(WORKING_HASHES, "sha256, sha512, sha, blake2s").
+-define(FAILING_HASHES, "md4, md5, ripemd160").
hash_algorithms_test_() ->
{
@@ -43,12 +43,13 @@ setup() ->
config:set("admins", ?ADM_USER, ?b2l(Hashed), false),
config:set("chttpd_auth", "secret", NewSecret, false),
config:set("chttpd", "require_valid_user", "true", false),
- config:set("chttpd_auth", "hash_algorithms", ?ALLOWED_HASHES, false),
- AllowedHashes = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+ config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+ HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
trim, {return, binary}
]),
- DisallowedHashes = re:split(?DISALLOWED_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
- {Ctx, {AllowedHashes, DisallowedHashes}}.
+ HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ {Ctx, {HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}}.
teardown({Ctx, _}) ->
config:delete("chttpd_auth", "hash_algorithms", false),
@@ -65,7 +66,12 @@ base_url() ->
make_auth_session_string(HashAlgorithm, User, Secret, TimeStamp) ->
SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
- Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData),
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ Hash =
+ case lists:member(HashAlgorithm, SupportedHashAlgorithms) of
+ true -> couch_util:hmac(HashAlgorithm, Secret, SessionData);
+ false -> couch_util:hmac(?DEFAULT_HASH_ALGORITHM, Secret, SessionData)
+ end,
"AuthSession=" ++ couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)).
get_user_props(User) ->
@@ -83,7 +89,7 @@ test_hash_algorithm([], _) ->
test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Status) ->
CurrentTime = couch_httpd_auth:make_cookie_time(),
Cookie = make_auth_session_string(
- erlang:binary_to_existing_atom(DefaultHashAlgorithm),
+ DefaultHashAlgorithm,
?ADM_USER,
get_full_secret(?ADM_USER),
CurrentTime
@@ -92,8 +98,10 @@ test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Sta
?assertEqual(Status, ReqStatus),
test_hash_algorithm(DecodingHashAlgorithmsList, Status).
-test_hash_algorithms_should_work({_, {AllowedHashes, _}} = _) ->
+test_hash_algorithms_should_work({_, {WorkingHashes, _, SupportedHashAlgorithms}} = _) ->
+ AllowedHashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
test_hash_algorithm(AllowedHashes, 200).
-test_hash_algorithms_should_fail({_, {_, DisallowedHashes}} = _) ->
+test_hash_algorithms_should_fail({_, {_, FailingHashes, SupportedHashAlgorithms}} = _) ->
+ DisallowedHashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
test_hash_algorithm(DisallowedHashes, 401).
diff --git a/src/couch/include/couch_db.hrl b/src/couch/include/couch_db.hrl
index 233836d16..e70706a7f 100644
--- a/src/couch/include/couch_db.hrl
+++ b/src/couch/include/couch_db.hrl
@@ -15,6 +15,8 @@
-define(DESIGN_DOC_PREFIX, "_design/").
-define(DEFAULT_COMPRESSION, snappy).
+-define(DEFAULT_HASH_ALGORITHM, sha256).
+
-define(MIN_STR, <<"">>).
-define(MAX_STR, <<255>>). % illegal utf string
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index e2cb02f8c..b3c984174 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -16,8 +16,6 @@
-include_lib("couch/include/couch_db.hrl").
--define(DEFAULT_HASH_ALGORITHM, sha256).
-
-export([party_mode_handler/1]).
-export([
@@ -298,7 +296,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} = Req, AuthModule) ->
end,
% Verify expiry and hash
CurrentTime = make_cookie_time(),
- HashAlgorithms = get_config_hash_algorithms(),
+ HashAlgorithms = couch_util:get_config_hash_algorithms(),
case chttpd_util:get_chttpd_auth_config("secret") of
undefined ->
couch_log:debug("cookie auth secret is not set", []),
@@ -373,7 +371,7 @@ cookie_auth_header(_Req, _Headers) ->
cookie_auth_cookie(Req, User, Secret, TimeStamp) ->
SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
- [HashAlgorithm | _] = get_config_hash_algorithms(),
+ [HashAlgorithm | _] = couch_util:get_config_hash_algorithms(),
Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData),
mochiweb_cookies:cookie(
"AuthSession",
@@ -702,32 +700,3 @@ authentication_warning(#httpd{mochi_req = Req}, User) ->
"~p: Authentication failed for user ~s from ~s",
[?MODULE, User, Peer]
).
-
-verify_hash_names(HashAlgorithms, SupportedHashFun) ->
- verify_hash_names(HashAlgorithms, SupportedHashFun, []).
-verify_hash_names([], _, HashNames) ->
- lists:reverse(HashNames);
-verify_hash_names([H | T], SupportedHashFun, HashNames) ->
- try
- HashAtom = binary_to_existing_atom(H),
- Result =
- case lists:member(HashAtom, SupportedHashFun) of
- true -> [HashAtom | HashNames];
- false -> HashNames
- end,
- verify_hash_names(T, SupportedHashFun, Result)
- catch
- error:badarg ->
- couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
- verify_hash_names(T, SupportedHashFun, HashNames)
- end.
-
--spec get_config_hash_algorithms() -> list(atom()).
-get_config_hash_algorithms() ->
- SupportedHashAlgorithms = crypto:supports(hashs),
- HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
- HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
- case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of
- [] -> [?DEFAULT_HASH_ALGORITHM];
- VerifiedHashNames -> VerifiedHashNames
- end.
diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl
index 84691d14e..5512c07da 100644
--- a/src/couch/src/couch_util.erl
+++ b/src/couch/src/couch_util.erl
@@ -43,6 +43,8 @@
-export([set_process_priority/2]).
-export([hmac/3]).
-export([version_to_binary/1]).
+-export([verify_hash_names/2]).
+-export([get_config_hash_algorithms/0]).
-include_lib("couch/include/couch_db.hrl").
@@ -829,3 +831,32 @@ hex(X) ->
16#6530, 16#6531, 16#6532, 16#6533, 16#6534, 16#6535, 16#6536, 16#6537, 16#6538, 16#6539, 16#6561, 16#6562, 16#6563, 16#6564, 16#6565, 16#6566,
16#6630, 16#6631, 16#6632, 16#6633, 16#6634, 16#6635, 16#6636, 16#6637, 16#6638, 16#6639, 16#6661, 16#6662, 16#6663, 16#6664, 16#6665, 16#6666
}).
+
+verify_hash_names(HashAlgorithms, SupportedHashFun) ->
+ verify_hash_names(HashAlgorithms, SupportedHashFun, []).
+verify_hash_names([], _, HashNames) ->
+ lists:reverse(HashNames);
+verify_hash_names([H | T], SupportedHashFun, HashNames) ->
+ try
+ HashAtom = binary_to_existing_atom(H),
+ Result =
+ case lists:member(HashAtom, SupportedHashFun) of
+ true -> [HashAtom | HashNames];
+ false -> HashNames
+ end,
+ verify_hash_names(T, SupportedHashFun, Result)
+ catch
+ error:badarg ->
+ couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
+ verify_hash_names(T, SupportedHashFun, HashNames)
+ end.
+
+-spec get_config_hash_algorithms() -> list(atom()).
+get_config_hash_algorithms() ->
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
+ HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
+ case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of
+ [] -> [?DEFAULT_HASH_ALGORITHM];
+ VerifiedHashNames -> VerifiedHashNames
+ end.