add unit tests for Apache Require claim authz functions

zandbelt · zandbelt · commit 71b7c29a3af1 · 2019-05-21T09:36:01.000+02:00
Signed-off-by: Hans Zandbelt &lt;hans.zandbelt@zmartzone.eu&gt;
diff --git a/.cproject b/.cproject
@@ -18,7 +18,7 @@
 				</extensions>
 			</storageModule>
 			<storageModule moduleId="cdtBuildSystem" version="4.0.0">
-				<configuration artifactName="${ProjName}" buildArtefactType="org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools" buildProperties="org.eclipse.cdt.build.core.buildArtefactType=org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools,org.eclipse.cdt.build.core.buildType=org.eclipse.linuxtools.cdt.autotools.core.buildType.default" cleanCommand="rm -rf" description="" errorParsers="org.eclipse.cdt.core.CWDLocator;org.eclipse.cdt.core.GmakeErrorParser;org.eclipse.cdt.core.GCCErrorParser;org.eclipse.cdt.core.GLDErrorParser;org.eclipse.cdt.core.GASErrorParser" id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.1562680719" name="Build (GNU)" optionalBuildProperties="org.eclipse.cdt.docker.launcher.containerbuild.property.volumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.connection=unix:///var/run/docker.sock,org.eclipse.cdt.docker.launcher.containerbuild.property.selectedvolumes=" parent="org.eclipse.linuxtools.cdt.autotools.core.configuration.build">
+				<configuration artifactName="${ProjName}" buildArtefactType="org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools" buildProperties="org.eclipse.cdt.build.core.buildArtefactType=org.eclipse.linuxtools.cdt.autotools.core.buildArtefactType.autotools,org.eclipse.cdt.build.core.buildType=org.eclipse.linuxtools.cdt.autotools.core.buildType.default" cleanCommand="rm -rf" description="" errorParsers="org.eclipse.cdt.core.CWDLocator;org.eclipse.cdt.core.GmakeErrorParser;org.eclipse.cdt.core.GCCErrorParser;org.eclipse.cdt.core.GLDErrorParser;org.eclipse.cdt.core.GASErrorParser" id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.1562680719" name="Build (GNU)" optionalBuildProperties="org.eclipse.cdt.docker.launcher.containerbuild.property.selectedvolumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.volumes=,org.eclipse.cdt.docker.launcher.containerbuild.property.connection=unix:///var/run/docker.sock" parent="org.eclipse.linuxtools.cdt.autotools.core.configuration.build">
 					<folderInfo id="org.eclipse.linuxtools.cdt.autotools.core.configuration.build.1562680719." name="/" resourcePath="">
 						<toolChain id="org.eclipse.linuxtools.cdt.autotools.core.toolChain.617277945" name="GNU Autotools Toolchain" superClass="org.eclipse.linuxtools.cdt.autotools.core.toolChain">
 							<targetPlatform id="org.eclipse.linuxtools.cdt.autotools.core.toolchain.targetPlatform.359991688" isAbstract="false" name="GNU Autotools Target Platform" superClass="org.eclipse.linuxtools.cdt.autotools.core.toolchain.targetPlatform"/>
diff --git a/Makefile.am b/Makefile.am
@@ -157,7 +157,7 @@ check_liboauth2_LDADD = liboauth2.la
 if HAVE_APACHE
 check_liboauth2_CPPFLAGS += $(liboauth2_apache_la_CPPFLAGS)
 check_liboauth2_CFLAGS += $(liboauth2_apache_la_CFLAGS)
-check_liboauth2_LDADD += liboauth2_apache.la
+check_liboauth2_LDADD += liboauth2_apache.la ${liboauth2_apache_la_LIBADD}
 endif
 if HAVE_NGINX
 check_liboauth2_CPPFLAGS += $(liboauth2_nginx_la_CPPFLAGS)
@@ -181,6 +181,10 @@ check_liboauth2_SOURCES = \
 	test/check_oauth2.c \
 	test/check_openidc.c \
 	test/server_stubs.c
+if HAVE_APACHE
+check_liboauth2_SOURCES += \
+	test/check_apache.c
+endif
 
 endif
 
diff --git a/src/server/apache.c b/src/server/apache.c
@@ -876,15 +876,17 @@ bool oauth2_apache_authz_match_claim(oauth2_apache_request_ctx_t *ctx,
 				return true;
 
 			/* a tilde denotes a string PCRE match */
-			//			} else if (!(*attr_c) && (*spec_c)
+			//			} else if (!(*attr_c) &&
+			//(*spec_c)
 			//== '~') {
 			//
 			//				/* skip the tilde */
 			//				spec_c++;
 			//
 			//				if
 			//(oauth2_authz_match_expression(r, spec_c, val) ==
-			//TRUE) 					return true;
+			// TRUE) 					return
+			// true;
 			/* dot means child nodes must be evaluated */
 		} else if (!(*attr_c) && (*spec_c) == '.') {
 
diff --git a/test/check_apache.c b/test/check_apache.c
@@ -0,0 +1,227 @@
+/***************************************************************************
+ *
+ * Copyright (C) 2018-2019 - ZmartZone Holding BV - www.zmartzone.eu
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @Author: Hans Zandbelt - hans.zandbelt@zmartzone.eu
+ *
+ **************************************************************************/
+
+#include "check_liboauth2.h"
+#include "oauth2/apache.h"
+#include <check.h>
+
+static apr_pool_t *pool = NULL;
+static request_rec *request = NULL;
+static oauth2_log_t *log = 0;
+
+static request_rec *setup_request(apr_pool_t *pool)
+{
+	// const unsigned int kIdx = 0;
+	// const unsigned int kEls = kIdx + 1;
+	request_rec *request =
+	    (request_rec *)apr_pcalloc(pool, sizeof(request_rec));
+
+	request->pool = pool;
+
+	request->headers_in = apr_table_make(request->pool, 0);
+	request->headers_out = apr_table_make(request->pool, 0);
+	request->err_headers_out = apr_table_make(request->pool, 0);
+
+	apr_table_set(request->headers_in, "Host", "www.example.com");
+	apr_table_set(request->headers_in, "OIDC_foo", "some-value");
+	apr_table_set(request->headers_in, "Cookie",
+		      "foo=bar; "
+		      "oauth2_openidc_session"
+		      "=0123456789abcdef; baz=zot");
+
+	request->server = apr_pcalloc(request->pool, sizeof(struct server_rec));
+	request->server->process =
+	    apr_pcalloc(request->pool, sizeof(struct process_rec));
+	request->server->process->pool = request->pool;
+	request->connection =
+	    apr_pcalloc(request->pool, sizeof(struct conn_rec));
+	request->connection->bucket_alloc =
+	    apr_bucket_alloc_create(request->pool);
+	request->connection->local_addr =
+	    apr_pcalloc(request->pool, sizeof(apr_sockaddr_t));
+
+	apr_pool_userdata_set("https", "scheme", NULL, request->pool);
+	request->server->server_hostname = "www.example.com";
+	request->connection->local_addr->port = 443;
+	request->unparsed_uri = "/bla?foo=bar&param1=value1";
+	request->args = "foo=bar&param1=value1";
+	apr_uri_parse(request->pool,
+		      "https://www.example.com/bla?foo=bar&param1=value1",
+		      &request->parsed_uri);
+	/*
+		auth_openidc_module.module_index = kIdx;
+		oidc_cfg *cfg = oidc_create_server_config(request->pool,
+	   request->server); cfg->provider.issuer = "https://idp.example.com";
+		cfg->provider.authorization_endpoint_url =
+				"https://idp.example.com/authorize";
+		cfg->provider.scope = "openid";
+		cfg->provider.client_id = "client_id";
+		cfg->provider.token_binding_policy =
+	   OIDC_TOKEN_BINDING_POLICY_OPTIONAL; cfg->redirect_uri =
+	   "https://www.example.com/protected/";
+
+		oidc_dir_cfg *d_cfg = oidc_create_dir_config(request->pool,
+	   NULL);
+	*/
+	/*
+		request->server->module_config = apr_pcalloc(request->pool,
+				sizeof(ap_conf_vector_t *) * kEls);
+		request->per_dir_config = apr_pcalloc(request->pool,
+				sizeof(ap_conf_vector_t *) * kEls);
+	*/
+	/*
+		ap_set_module_config(request->server->module_config,
+	   &auth_openidc_module, cfg);
+		ap_set_module_config(request->per_dir_config,
+	   &auth_openidc_module, d_cfg);
+
+		cfg->crypto_passphrase = "12345678901234567890123456789012";
+		cfg->cache = &oidc_cache_shm;
+		cfg->cache_cfg = NULL;
+		cfg->cache_shm_size_max = 500;
+		cfg->cache_shm_entry_size_max = 16384 + 255 + 17;
+		cfg->cache_encrypt = 1;
+		if (cfg->cache->post_config(request->server) != OK) {
+			printf("cfg->cache->post_config failed!\n");
+			exit(-1);
+		}
+	*/
+	return request;
+}
+
+static void check_apache_log_request(oauth2_log_sink_t *sink,
+				     const char *filename, unsigned long line,
+				     const char *function,
+				     oauth2_log_level_t level, const char *msg)
+{
+	oauth2_log(log, filename, line, function, level, "%s", msg);
+}
+
+static void setup(void)
+{
+	log = oauth2_init(OAUTH2_LOG_TRACE1, 0);
+
+	apr_initialize();
+	apr_pool_create(&pool, NULL);
+	request = setup_request(pool);
+}
+
+static void teardown(void)
+{
+	apr_pool_destroy(pool);
+	apr_terminate();
+
+	oauth2_shutdown(log);
+}
+
+START_TEST(test_apache_request_state)
+{
+	json_error_t err;
+	const char *s_claims = "{ \"sub\": \"joe\" }";
+	json_t *in_claims = NULL, *out_claims = NULL;
+	const char *key = "C";
+	char *value = NULL;
+	oauth2_apache_request_ctx_t *ctx = NULL;
+
+	ctx = oauth2_apache_request_context(request, check_apache_log_request,
+					    "check_apache");
+	in_claims = json_loads(s_claims, 0, &err);
+
+	oauth2_apache_request_state_set_json(ctx, key, in_claims);
+
+	oauth2_apache_request_state_get_json(ctx, key, &out_claims);
+	ck_assert_ptr_ne(out_claims, NULL);
+
+	oauth2_json_string_get(log, out_claims, "sub", &value, NULL);
+	ck_assert_ptr_ne(value, NULL);
+	ck_assert_str_eq(value, "joe");
+
+	json_decref(in_claims);
+	json_decref(out_claims);
+}
+END_TEST
+
+START_TEST(test_apache_authz_match_claim)
+{
+	json_error_t err;
+	oauth2_apache_request_ctx_t *ctx = NULL;
+	const char *s_claims = "{ \"sub\": \"joe\" }";
+	json_t *claims = NULL;
+	bool rc = false;
+
+	ctx = oauth2_apache_request_context(request, check_apache_log_request,
+					    "check_apache");
+	claims = json_loads(s_claims, 0, &err);
+
+	rc = oauth2_apache_authz_match_claim(ctx, "sub:joe", claims);
+	ck_assert_int_eq(rc, true);
+
+	rc = oauth2_apache_authz_match_claim(ctx, "sub:hans", claims);
+	ck_assert_int_eq(rc, false);
+
+	json_decref(claims);
+}
+END_TEST
+
+START_TEST(test_apache_authorize)
+{
+	json_error_t err;
+	oauth2_apache_request_ctx_t *ctx = NULL;
+	const char *s_claims = "{ \"sub\": \"joe\" }";
+	json_t *claims = NULL;
+	authz_status rc = AUTHZ_DENIED;
+
+	ctx = oauth2_apache_request_context(request, check_apache_log_request,
+					    "check_apache");
+	claims = json_loads(s_claims, 0, &err);
+
+	rc = oauth2_apache_authorize(ctx, claims, "sub:hans",
+				     oauth2_apache_authz_match_claim);
+	ck_assert_int_eq(rc, AUTHZ_DENIED_NO_USER);
+
+	request->user = "joe";
+	rc = oauth2_apache_authorize(ctx, claims, "sub:hans",
+				     oauth2_apache_authz_match_claim);
+	ck_assert_int_eq(rc, AUTHZ_DENIED);
+
+	rc = oauth2_apache_authorize(ctx, claims, "sub:joe",
+				     oauth2_apache_authz_match_claim);
+	ck_assert_int_eq(rc, AUTHZ_GRANTED);
+
+	json_decref(claims);
+}
+END_TEST
+
+Suite *oauth2_check_apache_suite()
+{
+	Suite *s = suite_create("apache");
+	TCase *c = tcase_create("core");
+
+	tcase_add_checked_fixture(c, setup, teardown);
+
+	tcase_add_test(c, test_apache_request_state);
+	tcase_add_test(c, test_apache_authz_match_claim);
+	tcase_add_test(c, test_apache_authorize);
+
+	suite_add_tcase(s, c);
+
+	return s;
+}
diff --git a/test/check_liboauth2.c b/test/check_liboauth2.c
@@ -292,6 +292,7 @@ int main(void)
 	srunner_add_suite(sr, oauth2_check_proto_suite());
 	srunner_add_suite(sr, oauth2_check_oauth2_suite());
 	srunner_add_suite(sr, oauth2_check_openidc_suite());
+	srunner_add_suite(sr, oauth2_check_apache_suite());
 
 	// srunner_run_all(sr, CK_ENV);
 	srunner_run_all(sr, CK_VERBOSE);
diff --git a/test/check_liboauth2.h b/test/check_liboauth2.h
@@ -40,6 +40,7 @@ Suite *oauth2_check_http_suite();
 Suite *oauth2_check_proto_suite();
 Suite *oauth2_check_oauth2_suite();
 Suite *oauth2_check_openidc_suite();
+Suite *oauth2_check_apache_suite();
 
 char *oauth2_check_http_serve(const char *request);
 char *oauth2_check_jose_serve(const char *request);
diff --git a/test/server_stubs.c b/test/server_stubs.c
@@ -1,6 +1,77 @@
 #ifdef HAVE_APACHE
+#include <apr_lib.h>
 #include <oauth2/apache.h>
 
+static char *substring_conf(apr_pool_t *p, const char *start, int len,
+			    char quote)
+{
+	char *result = apr_palloc(p, len + 1);
+	char *resp = result;
+	int i;
+
+	for (i = 0; i < len; ++i) {
+		if (start[i] == '\\' &&
+		    (start[i + 1] == '\\' || (quote && start[i + 1] == quote)))
+			*resp++ = start[++i];
+		else
+			*resp++ = start[i];
+	}
+
+	*resp++ = '\0';
+#if RESOLVE_ENV_PER_TOKEN
+	return (char *)ap_resolve_env(p, result);
+#else
+	return result;
+#endif
+}
+
+AP_DECLARE(char *) ap_getword_conf(apr_pool_t *p, const char **line)
+{
+	const char *str = *line, *strend;
+	char *res;
+	char quote;
+
+	while (apr_isspace(*str))
+		++str;
+
+	if (!*str) {
+		*line = str;
+		return "";
+	}
+
+	if ((quote = *str) == '"' || quote == '\'') {
+		strend = str + 1;
+		while (*strend && *strend != quote) {
+			if (*strend == '\\' && strend[1] &&
+			    (strend[1] == quote || strend[1] == '\\')) {
+				strend += 2;
+			} else {
+				++strend;
+			}
+		}
+		res = substring_conf(p, str + 1, strend - str - 1, quote);
+
+		if (*strend == quote)
+			++strend;
+	} else {
+		strend = str;
+		while (*strend && !apr_isspace(*strend))
+			++strend;
+
+		res = substring_conf(p, str, strend - str, 0);
+	}
+
+	while (apr_isspace(*strend))
+		++strend;
+	*line = strend;
+	return res;
+}
+
+AP_DECLARE(char *) ap_getword_conf_nc(apr_pool_t *p, char **line)
+{
+	return ap_getword_conf(p, (const char **)line);
+}
+
 AP_DECLARE(int) ap_should_client_block(request_rec *r)
 {
 	return 0;
