summaryrefslogtreecommitdiff
path: root/tests/mod-secdownload.t
diff options
context:
space:
mode:
authorStefan Bühler <stbuehler@web.de>2015-11-22 22:22:22 +0000
committerStefan Bühler <stbuehler@web.de>2015-11-22 22:22:22 +0000
commitbfaa48260a1870ed102e3e4801a18bcb29369a89 (patch)
tree383b16df82d121bcdb43e2d18c6ce70857630e0a /tests/mod-secdownload.t
parentb0a44212724d86b9ec8434337d53de69780f1a07 (diff)
downloadlighttpd1.4-bfaa48260a1870ed102e3e4801a18bcb29369a89.tar.gz
lighttpd1.4-bfaa48260a1870ed102e3e4801a18bcb29369a89.zip
[mod_secdownload] add required algorithm option; old behaviour available as "md5", new options "hmac-sha1" and "hmac-sha256"
Differential Revision: https://review.lighttpd.net/D7 From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3054 152afb58-edef-0310-8abb-c4023f1b3aa9
Diffstat (limited to 'tests/mod-secdownload.t')
-rwxr-xr-xtests/mod-secdownload.t130
1 files changed, 117 insertions, 13 deletions
diff --git a/tests/mod-secdownload.t b/tests/mod-secdownload.t
index c8cad385..96baf9d7 100755
--- a/tests/mod-secdownload.t
+++ b/tests/mod-secdownload.t
@@ -8,9 +8,11 @@ BEGIN {
use strict;
use IO::Socket;
-use Test::More tests => 7;
+use Test::More tests => 15;
use LightyTest;
use Digest::MD5 qw(md5_hex);
+use Digest::SHA qw(hmac_sha1 hmac_sha256);
+use MIME::Base64 qw(encode_base64url);
my $tf = LightyTest->new();
my $t;
@@ -18,9 +20,21 @@ my $t;
ok($tf->start_proc == 0, "Starting lighttpd") or die();
my $secret = "verysecret";
-my $f = "/index.html";
-my $thex = sprintf("%08x", time);
-my $m = md5_hex($secret.$f.$thex);
+my ($f, $thex, $m);
+
+$t->{REQUEST} = ( <<EOF
+GET /index.html HTTP/1.0
+Host: www.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
+
+ok($tf->handle_http($t) == 0, 'skipping secdownload - direct access');
+
+## MD5
+$f = "/index.html";
+$thex = sprintf("%08x", time);
+$m = md5_hex($secret.$f.$thex);
$t->{REQUEST} = ( <<EOF
GET /sec/$m/$thex$f HTTP/1.0
@@ -29,7 +43,7 @@ EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
-ok($tf->handle_http($t) == 0, 'secdownload');
+ok($tf->handle_http($t) == 0, 'secdownload (md5)');
$thex = sprintf("%08x", time - 1800);
$m = md5_hex($secret.$f.$thex);
@@ -41,7 +55,7 @@ EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ];
-ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout)');
+ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (md5)');
$t->{REQUEST} = ( <<EOF
GET /sec$f HTTP/1.0
@@ -50,30 +64,120 @@ EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
-ok($tf->handle_http($t) == 0, 'secdownload - direct access');
+ok($tf->handle_http($t) == 0, 'secdownload - direct access (md5)');
+
+$f = "/noexists";
+$thex = sprintf("%08x", time);
+$m = md5_hex($secret.$f.$thex);
$t->{REQUEST} = ( <<EOF
-GET $f HTTP/1.0
-Host: www.example.org
+GET /sec/$m/$thex$f HTTP/1.0
+Host: vvv.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
+
+ok($tf->handle_http($t) == 0, 'secdownload - timeout (md5)');
+
+## HMAC-SHA1
+$f = "/index.html";
+$thex = sprintf("%08x", time);
+$m = encode_base64url(hmac_sha1("/$thex$f", $secret));
+
+$t->{REQUEST} = ( <<EOF
+GET /sec/$m/$thex$f HTTP/1.0
+Host: vvv-sha1.example.org
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
-ok($tf->handle_http($t) == 0, 'secdownload - conditional access');
+ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha1)');
+
+$thex = sprintf("%08x", time - 1800);
+$m = encode_base64url(hmac_sha1("/$thex$f", $secret));
+
+$t->{REQUEST} = ( <<EOF
+GET /sec/$m/$thex$f HTTP/1.0
+Host: vvv-sha1.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ];
+
+ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha1)');
+
+$t->{REQUEST} = ( <<EOF
+GET /sec$f HTTP/1.0
+Host: vvv-sha1.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
+
+ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha1)');
$f = "/noexists";
$thex = sprintf("%08x", time);
-$m = md5_hex($secret.$f.$thex);
+$m = encode_base64url(hmac_sha1("/$thex$f", $secret));
$t->{REQUEST} = ( <<EOF
GET /sec/$m/$thex$f HTTP/1.0
-Host: vvv.example.org
+Host: vvv-sha1.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
+
+ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha1)');
+
+## HMAC-SHA256
+$f = "/index.html";
+$thex = sprintf("%08x", time);
+$m = encode_base64url(hmac_sha256("/$thex$f", $secret));
+
+$t->{REQUEST} = ( <<EOF
+GET /sec/$m/$thex$f HTTP/1.0
+Host: vvv-sha256.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200 } ];
+
+ok($tf->handle_http($t) == 0, 'secdownload (hmac-sha256)');
+
+$thex = sprintf("%08x", time - 1800);
+$m = encode_base64url(hmac_sha256("/$thex$f", $secret));
+
+$t->{REQUEST} = ( <<EOF
+GET /sec/$m/$thex$f HTTP/1.0
+Host: vvv-sha256.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 410 } ];
+
+ok($tf->handle_http($t) == 0, 'secdownload - gone (timeout) (hmac-sha256)');
+
+$t->{REQUEST} = ( <<EOF
+GET /sec$f HTTP/1.0
+Host: vvv-sha256.example.org
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
+
+ok($tf->handle_http($t) == 0, 'secdownload - direct access (hmac-sha256)');
+
+
+$f = "/noexists";
+$thex = sprintf("%08x", time);
+$m = encode_base64url(hmac_sha256("/$thex$f", $secret));
+
+$t->{REQUEST} = ( <<EOF
+GET /sec/$m/$thex$f HTTP/1.0
+Host: vvv-sha256.example.org
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 404 } ];
-ok($tf->handle_http($t) == 0, 'secdownload - timeout');
+ok($tf->handle_http($t) == 0, 'secdownload - timeout (hmac-sha256)');
+
+## THE END
ok($tf->stop_proc == 0, "Stopping lighttpd");