-
Notifications
You must be signed in to change notification settings - Fork 3.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial implementation of Digest authentication
Most ported from the existing DigestAuthentication adapter for the old HttpSocket. It still needs some real world testing as I'm not completely confident in it yet. Change authentication strategy construction so it gets the current client. This makes it possible to do challenge requests which are needed for digest auth.
- Loading branch information
Showing
3 changed files
with
262 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
<?php | ||
/** | ||
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org) | ||
* Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org) | ||
* | ||
* Licensed under The MIT License | ||
* Redistributions of files must retain the above copyright notice. | ||
* | ||
* @copyright Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org) | ||
* @link http://cakephp.org CakePHP(tm) Project | ||
* @since CakePHP(tm) v 3.0.0 | ||
* @license MIT License (http://www.opensource.org/licenses/mit-license.php) | ||
*/ | ||
namespace Cake\Network\Http\Auth; | ||
|
||
use Cake\Network\Http\Client; | ||
use Cake\Network\Http\Request; | ||
|
||
/** | ||
* Digest authentication adapter for Cake\Network\Http\Client | ||
* | ||
* Generally not directly constructed, but instead used by Cake\Network\Http\Client | ||
* when $options['auth']['type'] is 'digest' | ||
*/ | ||
class Digest { | ||
|
||
/** | ||
* Instance of Cake\Network\Http\Client | ||
* | ||
* @var Cake\Network\Http\Client | ||
*/ | ||
protected $_client; | ||
|
||
/** | ||
* Constructor | ||
* | ||
* @param Cake\Network\Http\Client $client | ||
* @param array $options | ||
*/ | ||
public function __construct(Client $client, $options = null) { | ||
$this->_client = $client; | ||
} | ||
|
||
/** | ||
* Add Authorization header to the request. | ||
* | ||
* @param Request $request | ||
* @param array $credentials | ||
* @return void | ||
* @see http://www.ietf.org/rfc/rfc2617.txt | ||
*/ | ||
public function authentication(Request $request, $credentials) { | ||
if (!isset($credentials['username'], $credentials['password'])) { | ||
return; | ||
} | ||
if (!isset($credentials['realm'])) { | ||
$credentials = $this->_getServerInfo($request, $credentials); | ||
} | ||
if (!isset($credentials['realm'])) { | ||
return; | ||
} | ||
$value = $this->_generateHeader($request, $credentials); | ||
$request->header('Authorization', $value); | ||
} | ||
|
||
/** | ||
* Retrieve information about the authentication | ||
* | ||
* Will get the realm and other tokens by performing | ||
* another request without authentication to get authentication | ||
* challenge. | ||
* | ||
* @param Request $request | ||
* @param array $credentials | ||
* @return Array modified credentials. | ||
*/ | ||
protected function _getServerInfo(Request $request, $credentials) { | ||
$response = $this->_client->get( | ||
$request->url(), | ||
[], | ||
['auth' => []] | ||
); | ||
|
||
if (!$response->header('WWW-Authenticate')) { | ||
return false; | ||
} | ||
preg_match_all( | ||
'@(\w+)=(?:(?:")([^"]+)"|([^\s,$]+))@', | ||
$response->header('WWW-Authenticate'), | ||
$matches, | ||
PREG_SET_ORDER | ||
); | ||
foreach ($matches as $match) { | ||
$credentials[$match[1]] = $match[2]; | ||
} | ||
if (!empty($credentials['qop']) && empty($credentials['nc'])) { | ||
$credentials['nc'] = 1; | ||
} | ||
return $credentials; | ||
} | ||
|
||
/** | ||
* Generate the header Authorization | ||
* | ||
* @param Request $request | ||
* @param array $credentials | ||
* @return string | ||
*/ | ||
protected function _generateHeader(Request $request, $credentials) { | ||
$path = parse_url($request->url(), PHP_URL_PATH); | ||
$a1 = md5($credentials['username'] . ':' . $credentials['realm'] . ':' . $credentials['password']); | ||
$a2 = md5($request->method() . ':' . $path); | ||
|
||
if (empty($credentials['qop'])) { | ||
$response = md5($a1 . ':' . $credentials['nonce'] . ':' . $a2); | ||
} else { | ||
$credentials['cnonce'] = uniqid(); | ||
$nc = sprintf('%08x', $credentials['nc']++); | ||
$response = md5($a1 . ':' . $credentials['nonce'] . ':' . $nc . ':' . $credentials['cnonce'] . ':auth:' . $a2); | ||
} | ||
|
||
$authHeader = 'Digest '; | ||
$authHeader .= 'username="' . str_replace(array('\\', '"'), array('\\\\', '\\"'), $credentials['username']) . '", '; | ||
$authHeader .= 'realm="' . $credentials['realm'] . '", '; | ||
$authHeader .= 'nonce="' . $credentials['nonce'] . '", '; | ||
$authHeader .= 'uri="' . $path . '", '; | ||
$authHeader .= 'response="' . $response . '"'; | ||
if (!empty($credentials['opaque'])) { | ||
$authHeader .= ', opaque="' . $credentials['opaque'] . '"'; | ||
} | ||
if (!empty($credentials['qop'])) { | ||
$authHeader .= ', qop="auth", nc=' . $nc . ', cnonce="' . $credentials['cnonce'] . '"'; | ||
} | ||
return $authHeader; | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
124 changes: 124 additions & 0 deletions
124
lib/Cake/Test/TestCase/Network/Http/Auth/DigestTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
<?php | ||
/** | ||
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org) | ||
* Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org) | ||
* | ||
* Licensed under The MIT License | ||
* Redistributions of files must retain the above copyright notice. | ||
* | ||
* @copyright Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org) | ||
* @link http://cakephp.org CakePHP(tm) Project | ||
* @since CakePHP(tm) v 3.0.0 | ||
* @license MIT License (http://www.opensource.org/licenses/mit-license.php) | ||
*/ | ||
namespace Cake\Test\TestCase\Network\Http\Auth; | ||
|
||
use Cake\Network\Http\Request; | ||
use Cake\Network\Http\Response; | ||
use Cake\Network\Http\Auth\Digest; | ||
use Cake\TestSuite\TestCase; | ||
|
||
/** | ||
* Digest authentication test | ||
*/ | ||
class DigestTest extends TestCase { | ||
|
||
/** | ||
* Setup | ||
* | ||
* @return void | ||
*/ | ||
public function setUp() { | ||
parent::setUp(); | ||
|
||
$this->client = $this->getMock( | ||
'Cake\Network\Http\Client', | ||
['send'] | ||
); | ||
$this->auth = new Digest($this->client); | ||
} | ||
|
||
/** | ||
* test getting data from additional request method | ||
* | ||
* @return void | ||
*/ | ||
public function testRealmAndNonceFromExtraRequest() { | ||
$headers = [ | ||
'WWW-Authenticate: Digest realm="The batcave",nonce="4cded326c6c51"' | ||
]; | ||
|
||
$response = new Response($headers, ''); | ||
$this->client->expects($this->once()) | ||
->method('send') | ||
->will($this->returnValue($response)); | ||
|
||
$auth = ['username' => 'admin', 'password' => '1234']; | ||
$request = (new Request())->method(Request::METHOD_GET) | ||
->url('http://example.com/some/path'); | ||
|
||
$this->auth->authentication($request, $auth); | ||
|
||
$result = $request->header('Authorization'); | ||
$this->assertContains('Digest', $result); | ||
$this->assertContains('realm="The batcave"', $result); | ||
$this->assertContains('nonce="4cded326c6c51"', $result); | ||
$this->assertContains('response="a21a874c0b29165929f5d24d1aad2c47"', $result); | ||
$this->assertContains('uri="/some/path"', $result); | ||
$this->assertNotContains('qop=', $result); | ||
$this->assertNotContains('nc=', $result); | ||
} | ||
|
||
/** | ||
* testQop method | ||
* | ||
* @return void | ||
*/ | ||
public function testQop() { | ||
$headers = [ | ||
'WWW-Authenticate: Digest realm="The batcave",nonce="4cded326c6c51",qop="auth"' | ||
]; | ||
|
||
$response = new Response($headers, ''); | ||
$this->client->expects($this->once()) | ||
->method('send') | ||
->will($this->returnValue($response)); | ||
|
||
$auth = ['username' => 'admin', 'password' => '1234']; | ||
$request = (new Request())->method(Request::METHOD_GET) | ||
->url('http://example.com/some/path'); | ||
|
||
$this->auth->authentication($request, $auth); | ||
$result = $request->header('Authorization'); | ||
|
||
$this->assertContains('qop="auth"', $result); | ||
$this->assertContains('nc=00000001', $result); | ||
$this->assertRegexp('/cnonce="[a-z0-9]+"/', $result); | ||
} | ||
|
||
/** | ||
* testOpaque method | ||
* | ||
* @return void | ||
*/ | ||
public function testOpaque() { | ||
$headers = [ | ||
'WWW-Authenticate: Digest realm="The batcave",nonce="4cded326c6c51",opaque="d8ea7aa61a1693024c4cc3a516f49b3c"' | ||
]; | ||
|
||
$response = new Response($headers, ''); | ||
$this->client->expects($this->once()) | ||
->method('send') | ||
->will($this->returnValue($response)); | ||
|
||
$auth = ['username' => 'admin', 'password' => '1234']; | ||
$request = (new Request())->method(Request::METHOD_GET) | ||
->url('http://example.com/some/path'); | ||
|
||
$this->auth->authentication($request, $auth); | ||
$result = $request->header('Authorization'); | ||
|
||
$this->assertContains('opaque="d8ea7aa61a1693024c4cc3a516f49b3c"', $result); | ||
} | ||
|
||
} |