You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ro...@apache.org on 2022/08/25 16:18:06 UTC
[couchdb] branch jenkins-fix-chttpd_auth_hash_algorithms updated (33613b4b4 -> 648dff0a1)
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a change to branch jenkins-fix-chttpd_auth_hash_algorithms
in repository https://gitbox.apache.org/repos/asf/couchdb.git
omit 33613b4b4 Refactor hash algorithms test for full CI run
new 648dff0a1 Refactor hash algorithms test for full CI run
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (33613b4b4)
\
N -- N -- N refs/heads/jenkins-fix-chttpd_auth_hash_algorithms (648dff0a1)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
src/couch/src/couch_util.erl | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
[couchdb] 01/01: Refactor hash algorithms test for full CI run
Posted by ro...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ronny pushed a commit to branch jenkins-fix-chttpd_auth_hash_algorithms
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 648dff0a13338a9b02868fdaa16767fa8392b81d
Author: Ronny Berndt <ro...@apache.org>
AuthorDate: Thu Aug 25 10:14:31 2022 +0200
Refactor hash algorithms test for full CI run
The test doesn't check if the hash algorithm is supported by the
erlang vm. The test for supported hash algorithms was only missing
in the test itself and not in CouchDB.
Refactor test and verify hash names during test runs.
---
.../eunit/chttpd_auth_hash_algorithms_tests.erl | 25 +++++++++-------
src/couch/include/couch_db.hrl | 2 ++
src/couch/src/couch_httpd_auth.erl | 35 ++--------------------
src/couch/src/couch_util.erl | 31 +++++++++++++++++++
4 files changed, 49 insertions(+), 44 deletions(-)
diff --git a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
index 3d872aa46..c78427d24 100644
--- a/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_auth_hash_algorithms_tests.erl
@@ -18,8 +18,8 @@
-define(ADM_USER, "adm_user").
-define(ADM_PASS, "adm_pass").
--define(ALLOWED_HASHES, "sha256, sha512, sha, blake2s").
--define(DISALLOWED_HASHES, "md4, md5, ripemd160").
+-define(WORKING_HASHES, "sha256, sha512, sha, blake2s").
+-define(FAILING_HASHES, "md4, md5, ripemd160").
hash_algorithms_test_() ->
{
@@ -43,12 +43,13 @@ setup() ->
config:set("admins", ?ADM_USER, ?b2l(Hashed), false),
config:set("chttpd_auth", "secret", NewSecret, false),
config:set("chttpd", "require_valid_user", "true", false),
- config:set("chttpd_auth", "hash_algorithms", ?ALLOWED_HASHES, false),
- AllowedHashes = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
+ config:set("chttpd_auth", "hash_algorithms", ?WORKING_HASHES, false),
+ HashesShouldWork = re:split(config:get("chttpd_auth", "hash_algorithms"), "\\s*,\\s*", [
trim, {return, binary}
]),
- DisallowedHashes = re:split(?DISALLOWED_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
- {Ctx, {AllowedHashes, DisallowedHashes}}.
+ HashesShouldFail = re:split(?FAILING_HASHES, "\\s*,\\s*", [trim, {return, binary}]),
+ SupportedHashAlgorithms = crypto:supports(hashs),
+ {Ctx, {HashesShouldWork, HashesShouldFail, SupportedHashAlgorithms}}.
teardown({Ctx, _}) ->
config:delete("chttpd_auth", "hash_algorithms", false),
@@ -83,7 +84,7 @@ test_hash_algorithm([], _) ->
test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Status) ->
CurrentTime = couch_httpd_auth:make_cookie_time(),
Cookie = make_auth_session_string(
- erlang:binary_to_existing_atom(DefaultHashAlgorithm),
+ DefaultHashAlgorithm,
?ADM_USER,
get_full_secret(?ADM_USER),
CurrentTime
@@ -92,8 +93,10 @@ test_hash_algorithm([DefaultHashAlgorithm | DecodingHashAlgorithmsList] = _, Sta
?assertEqual(Status, ReqStatus),
test_hash_algorithm(DecodingHashAlgorithmsList, Status).
-test_hash_algorithms_should_work({_, {AllowedHashes, _}} = _) ->
- test_hash_algorithm(AllowedHashes, 200).
+test_hash_algorithms_should_work({_, {WorkingHashes, _, SupportedHashAlgorithms}} = _) ->
+ Hashes = couch_util:verify_hash_names(WorkingHashes, SupportedHashAlgorithms),
+ test_hash_algorithm(Hashes, 200).
-test_hash_algorithms_should_fail({_, {_, DisallowedHashes}} = _) ->
- test_hash_algorithm(DisallowedHashes, 401).
+test_hash_algorithms_should_fail({_, {_, FailingHashes, SupportedHashAlgorithms}} = _) ->
+ Hashes = couch_util:verify_hash_names(FailingHashes, SupportedHashAlgorithms),
+ test_hash_algorithm(Hashes, 401).
diff --git a/src/couch/include/couch_db.hrl b/src/couch/include/couch_db.hrl
index 233836d16..e70706a7f 100644
--- a/src/couch/include/couch_db.hrl
+++ b/src/couch/include/couch_db.hrl
@@ -15,6 +15,8 @@
-define(DESIGN_DOC_PREFIX, "_design/").
-define(DEFAULT_COMPRESSION, snappy).
+-define(DEFAULT_HASH_ALGORITHM, sha256).
+
-define(MIN_STR, <<"">>).
-define(MAX_STR, <<255>>). % illegal utf string
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index e2cb02f8c..b3c984174 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -16,8 +16,6 @@
-include_lib("couch/include/couch_db.hrl").
--define(DEFAULT_HASH_ALGORITHM, sha256).
-
-export([party_mode_handler/1]).
-export([
@@ -298,7 +296,7 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq} = Req, AuthModule) ->
end,
% Verify expiry and hash
CurrentTime = make_cookie_time(),
- HashAlgorithms = get_config_hash_algorithms(),
+ HashAlgorithms = couch_util:get_config_hash_algorithms(),
case chttpd_util:get_chttpd_auth_config("secret") of
undefined ->
couch_log:debug("cookie auth secret is not set", []),
@@ -373,7 +371,7 @@ cookie_auth_header(_Req, _Headers) ->
cookie_auth_cookie(Req, User, Secret, TimeStamp) ->
SessionData = User ++ ":" ++ erlang:integer_to_list(TimeStamp, 16),
- [HashAlgorithm | _] = get_config_hash_algorithms(),
+ [HashAlgorithm | _] = couch_util:get_config_hash_algorithms(),
Hash = couch_util:hmac(HashAlgorithm, Secret, SessionData),
mochiweb_cookies:cookie(
"AuthSession",
@@ -702,32 +700,3 @@ authentication_warning(#httpd{mochi_req = Req}, User) ->
"~p: Authentication failed for user ~s from ~s",
[?MODULE, User, Peer]
).
-
-verify_hash_names(HashAlgorithms, SupportedHashFun) ->
- verify_hash_names(HashAlgorithms, SupportedHashFun, []).
-verify_hash_names([], _, HashNames) ->
- lists:reverse(HashNames);
-verify_hash_names([H | T], SupportedHashFun, HashNames) ->
- try
- HashAtom = binary_to_existing_atom(H),
- Result =
- case lists:member(HashAtom, SupportedHashFun) of
- true -> [HashAtom | HashNames];
- false -> HashNames
- end,
- verify_hash_names(T, SupportedHashFun, Result)
- catch
- error:badarg ->
- couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
- verify_hash_names(T, SupportedHashFun, HashNames)
- end.
-
--spec get_config_hash_algorithms() -> list(atom()).
-get_config_hash_algorithms() ->
- SupportedHashAlgorithms = crypto:supports(hashs),
- HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
- HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
- case verify_hash_names(HashAlgorithms, SupportedHashAlgorithms) of
- [] -> [?DEFAULT_HASH_ALGORITHM];
- VerifiedHashNames -> VerifiedHashNames
- end.
diff --git a/src/couch/src/couch_util.erl b/src/couch/src/couch_util.erl
index 84691d14e..e916bbc69 100644
--- a/src/couch/src/couch_util.erl
+++ b/src/couch/src/couch_util.erl
@@ -43,6 +43,8 @@
-export([set_process_priority/2]).
-export([hmac/3]).
-export([version_to_binary/1]).
+-export([verify_hash_names/2]).
+-export([get_config_hash_algorithms/0]).
-include_lib("couch/include/couch_db.hrl").
@@ -829,3 +831,32 @@ hex(X) ->
16#6530, 16#6531, 16#6532, 16#6533, 16#6534, 16#6535, 16#6536, 16#6537, 16#6538, 16#6539, 16#6561, 16#6562, 16#6563, 16#6564, 16#6565, 16#6566,
16#6630, 16#6631, 16#6632, 16#6633, 16#6634, 16#6635, 16#6636, 16#6637, 16#6638, 16#6639, 16#6661, 16#6662, 16#6663, 16#6664, 16#6665, 16#6666
}).
+
+verify_hash_names(HashAlgorithms, SupportedHashes) ->
+ verify_hash_names(HashAlgorithms, SupportedHashes, []).
+verify_hash_names([], _, HashNames) ->
+ lists:reverse(HashNames);
+verify_hash_names([H | T], SupportedHashes, HashNames) ->
+ try
+ HashAtom = binary_to_existing_atom(H),
+ Result =
+ case lists:member(HashAtom, SupportedHashes) of
+ true -> [HashAtom | HashNames];
+ false -> HashNames
+ end,
+ verify_hash_names(T, SupportedHashes, Result)
+ catch
+ error:badarg ->
+ couch_log:warning("~p: Hash algorithm ~s is not valid.", [?MODULE, H]),
+ verify_hash_names(T, SupportedHashes, HashNames)
+ end.
+
+-spec get_config_hash_algorithms() -> list(atom()).
+get_config_hash_algorithms() ->
+ SupportedHashes = crypto:supports(hashs),
+ HashAlgorithmsStr = chttpd_util:get_chttpd_auth_config("hash_algorithms", "sha256, sha"),
+ HashAlgorithms = re:split(HashAlgorithmsStr, "\\s*,\\s*", [trim, {return, binary}]),
+ case verify_hash_names(HashAlgorithms, SupportedHashes) of
+ [] -> [?DEFAULT_HASH_ALGORITHM];
+ VerifiedHashNames -> VerifiedHashNames
+ end.