declare ['PHP_AUTH_DIGEST'] for Digest HTTP authentication

Summary:
fix for #5201
Closes #6554

Reviewed By: fredemmott

Differential Revision: D2659232

fb-gh-sync-id: 8f8eea508bef61e593bf1cb14eac4fbf23d4d9f9

hphp/runtime/server/http-protocol.cpp

@@ -106,6 +106,7 @@ const StaticString
   s_CONTENT_LENGTH("CONTENT_LENGTH"),
   s_PHP_AUTH_USER("PHP_AUTH_USER"),
   s_PHP_AUTH_PW("PHP_AUTH_PW"),
+  s_PHP_AUTH_DIGEST("PHP_AUTH_DIGEST"),
   s_REQUEST_URI("REQUEST_URI"),
   s_SCRIPT_URL("SCRIPT_URL"),
   s_SCRIPT_URI("SCRIPT_URI"),
@@ -620,6 +621,8 @@ static void CopyAuthInfo(Array& server, Transport *transport) {
         server.set(s_PHP_AUTH_USER, decodedAuth.substr(0, colonPos));
         server.set(s_PHP_AUTH_PW, decodedAuth.substr(colonPos + 1));
       }
+    } else if (strncmp(authorization.c_str(), "Digest ", 7) == 0) {
+      server.set(s_PHP_AUTH_DIGEST, String(authorization.c_str() + 7));
     }
   }
 }

hphp/test/server/fastcgi/server_root/test_auth_digest.php

@@ -0,0 +1,54 @@
+<?php
+$realm = 'Restricted area';
+
+//user => password
+$users = array('admin' => 'mypass');
+
+if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
+    header('HTTP/1 . 1 401 Unauthorized');
+    header('WWW-Authenticate: Digest realm="' . $realm .
+           '",qop="auth",nonce="' . uniqid() . '",opaque="' .
+           md5($realm) . '"');
+
+    die('Text to send if user hits Cancel button');
+}
+
+
+// analyze the PHP_AUTH_DIGEST variable
+if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) ||
+    !isset($users[$data['username']]))
+    die('Wrong Credentials!');
+
+
+// generate the valid response
+$A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]);
+$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
+$valid_response = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' .
+                      $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
+
+if ($data['response'] != $valid_response)
+    die('Wrong Credentials!');
+
+// ok, valid username & password
+echo 'You are logged in as: ' . $data['username'];
+
+
+// function to parse the http auth header
+function http_digest_parse($txt)
+{
+    // protect against missing data
+    $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1,
+                          'username'=>1, 'uri'=>1, 'response'=>1);
+    $data = array();
+    $keys = implode('|', array_keys($needed_parts));
+
+    preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@',
+                   $txt, $matches, PREG_SET_ORDER);
+
+    foreach ($matches as $m) {
+        $data[$m[1]] = $m[3] ? $m[3] : $m[4];
+        unset($needed_parts[$m[1]]);
+    }
+
+    return $needed_parts ? false : $data;
+}

hphp/test/server/fastcgi/tests/authDigestTest.php

@@ -0,0 +1,26 @@
+<?php
+
+require_once('test_base.inc');
+
+function BadAuthDigestTestController($serverPort) {
+  $args = array('Authorization' => 'Digest "username="admin", ' .
+    'realm="Restricted area", nonce="564a12f5c065e", ' .
+    'uri="/test_auth_digest.php", cnonce="MjIyMTg2", nc=00000001, ' .
+    'qop="auth", response="6dfbea52fbf13016476c1879e6436004", ' .
+    'opaque="cdce8a5c95a1427d74df7acbf41c9ce0"');
+  var_dump(request(php_uname('n'), $serverPort, "test_auth_digest.php",
+                  [], [], $args));
+}
+
+function GoodAuthDigestTestController($serverPort) {
+  $args = array('Authorization' => 'Digest username="admin", ' .
+    'realm="Restricted area", nonce="564a12611dae8", ' .
+    'uri="/test_auth_digest.php", cnonce="MjIyMTg1", nc=00000001, ' .
+    'qop="auth", response="e544aaed06917adea3e5c74dd49f0e32", ' .
+    'opaque="cdce8a5c95a1427d74df7acbf41c9ce0"');
+  var_dump(request(php_uname('n'), $serverPort, "test_auth_digest.php",
+                  [], [], $args));
+}
+
+runTest("BadAuthDigestTestController");
+runTest("GoodAuthDigestTestController");

hphp/test/server/fastcgi/tests/authDigestTest.php.expect

@@ -0,0 +1,2 @@
+string(18) "Wrong Credentials!"
+string(27) "You are logged in as: admin"