Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- Manifest: netwerk/test/unit/xpcshell.toml
// Unit tests for a NTLM authenticated proxy
//
// Currently the tests do not determine whether the Authentication dialogs have
// been displayed.
//
"use strict";
const { HttpServer } = ChromeUtils.importESModule(
);
ChromeUtils.defineLazyGetter(this, "URL", function () {
});
function AuthPrompt() {}
AuthPrompt.prototype = {
user: "guest",
pass: "guest",
QueryInterface: ChromeUtils.generateQI(["nsIAuthPrompt2"]),
promptAuth: function ap_promptAuth(channel, level, authInfo) {
authInfo.username = this.user;
authInfo.password = this.pass;
return true;
},
asyncPromptAuth: function ap_async() {
throw Components.Exception("", Cr.NS_ERROR_NOT_IMPLEMENTED);
},
};
function Requestor() {}
Requestor.prototype = {
QueryInterface: ChromeUtils.generateQI(["nsIInterfaceRequestor"]),
getInterface: function requestor_gi(iid) {
if (iid.equals(Ci.nsIAuthPrompt2)) {
// Allow the prompt to store state by caching it here
if (!this.prompt) {
this.prompt = new AuthPrompt();
}
return this.prompt;
}
throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
},
prompt: null,
};
function makeChan(url, loadingUrl) {
var principal = Services.scriptSecurityManager.createContentPrincipal(
Services.io.newURI(loadingUrl),
{}
);
return NetUtil.newChannel({
uri: url,
loadingPrincipal: principal,
securityFlags: Ci.nsILoadInfo.SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT,
contentPolicyType: Ci.nsIContentPolicy.TYPE_OTHER,
});
}
function TestListener(resolve) {
this.resolve = resolve;
}
TestListener.prototype.onStartRequest = function (request) {
// Need to do the instanceof to allow request.responseStatus
// to be read.
if (!(request instanceof Ci.nsIHttpChannel)) {
dump("Expecting an HTTP channel");
}
Assert.equal(expectedResponse, request.responseStatus, "HTTP Status code");
};
TestListener.prototype.onStopRequest = function () {
Assert.equal(expectedRequests, requestsMade, "Number of requests made ");
Assert.equal(
exptTypeOneCount,
ntlmTypeOneCount,
"Number of type one messages received"
);
Assert.equal(
exptTypeTwoCount,
ntlmTypeTwoCount,
"Number of type two messages received"
);
this.resolve();
};
TestListener.prototype.onDataAvaiable = function (
request,
context,
stream,
offset,
count
) {
read_stream(stream, count);
};
// NTLM Messages, for the received type 1 and 3 messages only check that they
// are of the expected type.
const NTLM_TYPE1_PREFIX = "NTLM TlRMTVNTUAABAAAA";
const NTLM_TYPE2_PREFIX = "NTLM TlRMTVNTUAACAAAA";
const NTLM_TYPE3_PREFIX = "NTLM TlRMTVNTUAADAAAA";
const NTLM_PREFIX_LEN = 21;
const PROXY_CHALLENGE =
NTLM_TYPE2_PREFIX +
"DgAOADgAAAAFgooCqLNOPe2aZOAAAAAAAAAAAFAAUABGAAAA" +
"BgEAAAAAAA9HAFcATAAtAE0ATwBaAAIADgBHAFcATAAtAE0A" +
"TwBaAAEADgBHAFcATAAtAE0ATwBaAAQAAgAAAAMAEgBsAG8A" +
"YwBhAGwAaABvAHMAdAAHAAgAOKEwGEZL0gEAAAAA";
// Proxy responses for the happy path scenario.
// i.e. successful proxy auth
//
function successfulAuth(metadata, response) {
let authorization;
let authPrefix;
switch (requestsMade) {
case 0:
// Proxy - First request to the Proxy resppond with a 407 to start auth
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", "NTLM", false);
break;
case 1:
// Proxy - Expecting a type 1 negotiate message from the client
authorization = metadata.getHeader("Proxy-Authorization");
authPrefix = authorization.substring(0, NTLM_PREFIX_LEN);
Assert.equal(NTLM_TYPE1_PREFIX, authPrefix, "Expecting a Type 1 message");
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", PROXY_CHALLENGE, false);
break;
case 2:
// Proxy - Expecting a type 3 Authenticate message from the client
// Will respond with a 401 to start web server auth sequence
authorization = metadata.getHeader("Proxy-Authorization");
authPrefix = authorization.substring(0, NTLM_PREFIX_LEN);
Assert.equal(NTLM_TYPE3_PREFIX, authPrefix, "Expecting a Type 3 message");
response.setStatusLine(metadata.httpVersion, 200, "Successful");
break;
default:
// We should be authenticated and further requests are permitted
authorization = metadata.getHeader("Proxy-Authorization");
Assert.isnull(authorization);
response.setStatusLine(metadata.httpVersion, 200, "Successful");
}
requestsMade++;
}
// Proxy responses simulating an invalid proxy password
// Note: that the connection should not be reused after the
// proxy auth fails.
//
function failedAuth(metadata, response) {
let authorization;
let authPrefix;
switch (requestsMade) {
case 0:
// Proxy - First request respond with a 407 to initiate auth sequence
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", "NTLM", false);
break;
case 1:
// Proxy - Expecting a type 1 negotiate message from the client
authorization = metadata.getHeader("Proxy-Authorization");
authPrefix = authorization.substring(0, NTLM_PREFIX_LEN);
Assert.equal(NTLM_TYPE1_PREFIX, authPrefix, "Expecting a Type 1 message");
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", PROXY_CHALLENGE, false);
break;
case 2:
// Proxy - Expecting a type 3 Authenticate message from the client
// Respond with a 407 to indicate invalid credentials
authorization = metadata.getHeader("Proxy-Authorization");
authPrefix = authorization.substring(0, NTLM_PREFIX_LEN);
Assert.equal(NTLM_TYPE3_PREFIX, authPrefix, "Expecting a Type 3 message");
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", "NTLM", false);
break;
default:
// Strictly speaking the connection should not be reused at this point
// commenting out for now.
dump("ERROR: NTLM Proxy Authentication, connection should not be reused");
// assert.fail();
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
}
requestsMade++;
}
//
// Simulate a connection reset once the connection has been authenticated
//
function connectionReset(metadata, response) {
let authorization;
let authPrefix;
switch (requestsMade) {
case 0:
// Proxy - First request to the Proxy resppond with a 407 to start auth
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", "NTLM", false);
break;
case 1:
// Proxy - Expecting a type 1 negotiate message from the client
authorization = metadata.getHeader("Proxy-Authorization");
authPrefix = authorization.substring(0, NTLM_PREFIX_LEN);
Assert.equal(NTLM_TYPE1_PREFIX, authPrefix, "Expecting a Type 1 message");
ntlmTypeOneCount++;
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", PROXY_CHALLENGE, false);
break;
case 2:
authorization = metadata.getHeader("Proxy-Authorization");
authPrefix = authorization.substring(0, NTLM_PREFIX_LEN);
Assert.equal(NTLM_TYPE3_PREFIX, authPrefix, "Expecting a Type 3 message");
ntlmTypeTwoCount++;
try {
response.seizePower();
response.finish();
} catch (e) {
Assert.ok(false, "unexpected exception" + e);
}
break;
default:
// Should not get any further requests on this channel
dump("ERROR: NTLM Proxy Authentication, connection should not be reused");
Assert.ok(false);
}
requestsMade++;
}
//
// Reset the connection after a negotiate message has been received
//
function connectionReset02(metadata, response) {
var connectionNumber = httpserver.connectionNumber;
switch (requestsMade) {
case 0:
// Proxy - First request to the Proxy respond with a 407 to start auth
response.setStatusLine(metadata.httpVersion, 407, "Unauthorized");
response.setHeader("Proxy-Authenticate", "NTLM", false);
Assert.equal(connectionNumber, httpserver.connectionNumber);
break;
case 1:
// eslint-disable-next-line no-fallthrough
default:
// Proxy - Expecting a type 1 negotiate message from the client
Assert.equal(connectionNumber, httpserver.connectionNumber);
var authorization = metadata.getHeader("Proxy-Authorization");
var authPrefix = authorization.substring(0, NTLM_PREFIX_LEN);
Assert.equal(NTLM_TYPE1_PREFIX, authPrefix, "Expecting a Type 1 message");
ntlmTypeOneCount++;
try {
response.seizePower();
response.finish();
} catch (e) {
Assert.ok(false, "unexpected exception" + e);
}
}
requestsMade++;
}
var httpserver = null;
function setup() {
httpserver = new HttpServer();
httpserver.start(-1);
Services.prefs.setCharPref("network.proxy.http", "localhost");
Services.prefs.setIntPref(
"network.proxy.http_port",
httpserver.identity.primaryPort
);
Services.prefs.setCharPref("network.proxy.no_proxies_on", "");
Services.prefs.setIntPref("network.proxy.type", 1);
Services.prefs.setBoolPref("network.proxy.allow_hijacking_localhost", true);
registerCleanupFunction(async () => {
Services.prefs.clearUserPref("network.proxy.http");
Services.prefs.clearUserPref("network.proxy.http_port");
Services.prefs.clearUserPref("network.proxy.no_proxies_on");
Services.prefs.clearUserPref("network.proxy.type");
Services.prefs.clearUserPref("network.proxy.allow_hijacking_localhost");
await httpserver.stop();
});
}
setup();
var expectedRequests = 0; // Number of HTTP requests that are expected
var requestsMade = 0; // The number of requests that were made
var expectedResponse = 0; // The response code
// Note that any test failures in the HTTP handler
// will manifest as a 500 response code
// Common test setup
// Parameters:
// path - path component of the URL
// handler - http handler function for the httpserver
// requests - expected number oh http requests
// response - expected http response code
// clearCache - clear the authentication cache before running the test
function setupTest(path, handler, requests, response, clearCache) {
requestsMade = 0;
expectedRequests = requests;
expectedResponse = response;
// clear the auth cache if requested
if (clearCache) {
dump("Clearing auth cache");
Cc["@mozilla.org/network/http-auth-manager;1"]
.getService(Ci.nsIHttpAuthManager)
.clearAll();
}
return new Promise(resolve => {
var chan = makeChan(URL + path, URL);
httpserver.registerPathHandler(path, handler);
chan.notificationCallbacks = new Requestor();
chan.asyncOpen(new TestListener(resolve));
});
}
let ntlmTypeOneCount = 0; // The number of NTLM type one messages received
let exptTypeOneCount = 0; // The number of NTLM type one messages that should be received
let ntlmTypeTwoCount = 0; // The number of NTLM type two messages received
let exptTypeTwoCount = 0; // The number of NTLM type two messages that should received
// Happy code path
// Successful proxy auth.
async function test_happy_path() {
dump("RUNNING TEST: test_happy_path");
await setupTest("/auth", successfulAuth, 3, 200, 1);
}
// Failed proxy authentication
async function test_failed_auth() {
dump("RUNNING TEST:failed auth ");
await setupTest("/auth", failedAuth, 4, 407, 1);
}
// Test connection reset, after successful auth
async function test_connection_reset() {
dump("RUNNING TEST:connection reset ");
ntlmTypeOneCount = 0;
ntlmTypeTwoCount = 0;
exptTypeOneCount = 1;
exptTypeTwoCount = 1;
await setupTest("/auth", connectionReset, 3, 500, 1);
}
// Test connection reset after sending a negotiate.
// Client should retry request using the same connection
async function test_connection_reset02() {
dump("RUNNING TEST:connection reset ");
ntlmTypeOneCount = 0;
ntlmTypeTwoCount = 0;
let maxRetryAttempt = 5;
exptTypeOneCount = maxRetryAttempt;
exptTypeTwoCount = 0;
Services.prefs.setIntPref(
"network.http.request.max-attempts",
maxRetryAttempt
);
await setupTest("/auth", connectionReset02, maxRetryAttempt + 1, 500, 1);
}
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", false]] },
test_happy_path
);
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", false]] },
test_failed_auth
);
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", false]] },
test_connection_reset
);
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", false]] },
test_connection_reset02
);
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", true]] },
test_happy_path
);
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", true]] },
test_failed_auth
);
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", true]] },
test_connection_reset
);
add_task(
{ pref_set: [["network.auth.use_redirect_for_retries", true]] },
test_connection_reset02
);