Enable digest test runs on CurlHandler. (#28571)

rmkerr · web-flow · commit 0257e6cc85c3 · 2018-03-29T11:25:02.000-07:00
Now that the authentication test failures have been diagnosed, re-enable most of the Digest authentication test cases on CurlHandler. Four additional cases had to be moved to the SocketsHttpHandler only tests, since they fail on CurlHandler and do not have fixes yet.

The digest test cases have to use credentials without a domain when run against CurlHandler. This is because Curl does not allow us to set the realm parameter used to send the domain along with a digest authorization header.
diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Authentication.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.Authentication.cs
@@ -18,6 +18,7 @@ public abstract class HttpClientHandler_Authentication_Test : HttpClientTestBase
         private const string Domain = "testdomain";
 
         private static readonly NetworkCredential s_credentials = new NetworkCredential(Username, Password, Domain);
+        private static readonly NetworkCredential s_credentialsNoDomain = new NetworkCredential(Username, Password);
 
         private static readonly Func<HttpClientHandler, Uri, HttpStatusCode, ICredentials, Task> s_createAndValidateRequest = async (handler, url, expectedStatusCode, credentials) =>
         {
@@ -34,12 +35,17 @@ public abstract class HttpClientHandler_Authentication_Test : HttpClientTestBase
         [MemberData(nameof(Authentication_TestData))]
         public async Task HttpClientHandler_Authentication_Succeeds(string authenticateHeader, bool result)
         {
-            if (PlatformDetection.IsWindowsNanoServer || (IsCurlHandler && authenticateHeader.ToLowerInvariant().Contains("digest")))
+            if (PlatformDetection.IsWindowsNanoServer)
             {
                 // TODO: #28065: Fix failing authentication test cases on different httpclienthandlers.
                 return;
             }
 
+            // Digest authentication does not work with domain credentials on CurlHandler. This is blocked by the behavior of LibCurl.
+            NetworkCredential credentials = (IsCurlHandler && authenticateHeader.ToLowerInvariant().Contains("digest")) ?
+                s_credentialsNoDomain :
+                s_credentials;
+
             var options = new LoopbackServer.Options { Domain = Domain, Username = Username, Password = Password };
             await LoopbackServer.CreateServerAsync(async (server, url) =>
             {
@@ -50,7 +56,7 @@ await LoopbackServer.CreateServerAsync(async (server, url) =>
                     server.AcceptConnectionSendResponseAndCloseAsync(HttpStatusCode.Unauthorized, serverAuthenticateHeader);
 
                 await TestHelper.WhenAllCompletedOrAnyFailedWithTimeout(TestHelper.PassingTestTimeoutMilliseconds,
-                    s_createAndValidateRequest(handler, url, result ? HttpStatusCode.OK : HttpStatusCode.Unauthorized, s_credentials), serverTask);
+                    s_createAndValidateRequest(handler, url, result ? HttpStatusCode.OK : HttpStatusCode.Unauthorized, credentials), serverTask);
             }, options);
         }
 
@@ -139,21 +145,13 @@ public static IEnumerable<object[]> Authentication_TestData()
             yield return new object[] { "bAsiC ", true };
             yield return new object[] { "basic", true };
 
-            // Add digest tests fail on CurlHandler.
-            // TODO: #28065: Fix failing authentication test cases on different httpclienthandlers.
-            yield return new object[] { "Digest realm=\"testrealm\" nonce=\"testnonce\"", false };
             yield return new object[] { $"Digest realm=\"testrealm\", nonce=\"{Convert.ToBase64String(Encoding.UTF8.GetBytes($"{DateTimeOffset.UtcNow}:XMh;z+$5|`i6Hx}}\", qop=auth-int, algorithm=MD5"))}\"", true };
-            yield return new object[] { "Digest realm=\"api@example.org\", qop=\"auth\", algorithm=MD5-sess, nonce=\"5TsQWLVdgBdmrQ0XsxbDODV+57QdFR34I9HAbC/RVvkK\", " +
-                    "opaque=\"HRPCssKJSGjCrkzDg8OhwpzCiGPChXYjwrI2QmXDnsOS\", charset=UTF-8, userhash=true", true };
-            yield return new object[] { "dIgEsT realm=\"api@example.org\", qop=\"auth\", algorithm=MD5-sess, nonce=\"5TsQWLVdgBdmrQ0XsxbDODV+57QdFR34I9HAbC/RVvkK\", " +
-                    "opaque=\"HRPCssKJSGjCrkzDg8OhwpzCiGPChXYjwrI2QmXDnsOS\", charset=UTF-8, userhash=true", true };
             yield return new object[] { $"Basic realm=\"testrealm\", " +
                     $"Digest realm=\"testrealm\", nonce=\"{Convert.ToBase64String(Encoding.UTF8.GetBytes($"{DateTimeOffset.UtcNow}:XMh;z+$5|`i6Hx}}"))}\", algorithm=MD5", true };
 
             if (PlatformDetection.IsNetCore)
             {
                 // TODO: #28060: Fix failing authentication test cases on Framework run.
-                yield return new object[] { "Digest realm=\"testrealm1\", nonce=\"testnonce1\" Digest realm=\"testrealm2\", nonce=\"testnonce2\"", false };
                 yield return new object[] { "Basic something, Digest something", false };
                 yield return new object[] { $"Digest realm=\"testrealm\", nonce=\"testnonce\", algorithm=MD5 " +
                     $"Basic realm=\"testrealm\"", false };
diff --git a/src/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs b/src/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs
@@ -568,13 +568,25 @@ public async void SocketsHttpHandler_Authentication_Succeeds(string authenticate
 
         public static IEnumerable<object[]> Authentication_SocketsHttpHandler_TestData()
         {
-            // These test cases pass on SocketsHttpHandler, fail everywhere else.
-            // TODO: #28065: Investigate failing authentication test cases on WinHttpHandler & CurlHandler.
+            // These test cases successfully authenticate on SocketsHttpHandler but fail on the other handlers.
+            // These are legal as per the the RFC, so authenticating is the expected behavior. See #28521 for details.
             yield return new object[] { "Basic realm=\"testrealm1\" basic realm=\"testrealm1\"", true };
             yield return new object[] { "Basic something digest something", true };
+            yield return new object[] { "Digest realm=\"api@example.org\", qop=\"auth\", algorithm=MD5-sess, nonce=\"5TsQWLVdgBdmrQ0XsxbDODV+57QdFR34I9HAbC/RVvkK\", " +
+                    "opaque=\"HRPCssKJSGjCrkzDg8OhwpzCiGPChXYjwrI2QmXDnsOS\", charset=UTF-8, userhash=true", true };
+            yield return new object[] { "dIgEsT realm=\"api@example.org\", qop=\"auth\", algorithm=MD5-sess, nonce=\"5TsQWLVdgBdmrQ0XsxbDODV+57QdFR34I9HAbC/RVvkK\", " +
+                    "opaque=\"HRPCssKJSGjCrkzDg8OhwpzCiGPChXYjwrI2QmXDnsOS\", charset=UTF-8, userhash=true", true };
+
+            // These cases fail on WinHttpHandler because of a behavior in WinHttp that causes requests to be duplicated
+            // when the digest header has certain parameters. See #28522 for details.
             yield return new object[] { "Digest ", false };
-            yield return new object[] { "Digest realm=withoutquotes, nonce=withoutquotes", false };
             yield return new object[] { "Digest realm=\"testrealm\", nonce=\"testnonce\", algorithm=\"myown\"", false };
+
+            // These cases fail to authenticate on SocketsHttpHandler, but succeed on the other handlers.
+            // they are all invalid as per the RFC, so failing is the expected behavior. See #28523 for details.
+            yield return new object[] { "Digest realm=withoutquotes, nonce=withoutquotes", false };
+            yield return new object[] { "Digest realm=\"testrealm\" nonce=\"testnonce\"", false };
+            yield return new object[] { "Digest realm=\"testrealm1\", nonce=\"testnonce1\" Digest realm=\"testrealm2\", nonce=\"testnonce2\"", false };
         }
     }
 
