-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #889 from dhlavac/apicast_malformed_params_cve
Added test for CVE issue-11435
- Loading branch information
Showing
1 changed file
with
68 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,65 +1,106 @@ | ||
""" | ||
Service requires credentials (app_id, app_key) to be passed using the Basic Auth | ||
Rewrite ./spec/functional_specs/auth/basic_auth_app_id_spec.rb | ||
""" | ||
|
||
import pytest | ||
|
||
from threescale_api.resources import Service | ||
from packaging.version import Version # noqa # pylint: disable=unused-import | ||
|
||
from testsuite import TESTED_VERSION # noqa # pylint: disable=unused-import | ||
from testsuite.capabilities import Capability | ||
from testsuite.gateways.apicast.selfmanaged import SelfManagedApicast | ||
from testsuite.gateways.apicast.system import SystemApicast | ||
from testsuite.httpx import HttpxClient | ||
from testsuite.utils import basic_auth_string | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def service_settings(service_settings): | ||
"Set auth mode to app_id/app_key" | ||
"""Set auth mode to app_id/app_key.""" | ||
service_settings.update({"backend_version": Service.AUTH_APP_ID_KEY}) | ||
return service_settings | ||
|
||
|
||
@pytest.fixture(scope="module") | ||
def service_proxy_settings(service_proxy_settings): | ||
"Set credentials location to 'authorization' (Basic HTTP auth)" | ||
"""Set credentials location to 'authorization' (Basic HTTP auth).""" | ||
service_proxy_settings.update({"credentials_location": "authorization"}) | ||
return service_proxy_settings | ||
|
||
|
||
@pytest.mark.smoke | ||
def test_basic_auth_app_id_key(application, api_client): | ||
"""Test client access with Basic HTTP Auth using app id and app key | ||
Configure Api/Service to use App ID / App Key Authentication | ||
and Basic HTTP Auth to pass the credentials. | ||
@pytest.fixture(scope="module") | ||
def http_client(application): | ||
"""Provide an HttpxClient instance using HTTP 1.1.""" | ||
client = HttpxClient(False, application) | ||
client.auth = None # No default authentication | ||
yield client | ||
client.close() | ||
|
||
Then request made with appropriate Basic auth made has to pass as expected""" | ||
|
||
@pytest.fixture(scope="module") | ||
def valid_auth_headers(application): | ||
"""Generate valid Basic Auth headers.""" | ||
creds = application.authobj().credentials | ||
expected_authorization = basic_auth_string(creds["app_id"], creds["app_key"]) | ||
|
||
response = api_client().get("/get") | ||
authorization = basic_auth_string(creds["app_id"], creds["app_key"]) | ||
return {"Authorization": authorization} | ||
|
||
assert response.status_code == 200 | ||
assert response.request.headers["Authorization"] == expected_authorization | ||
|
||
@pytest.fixture(scope="module") | ||
def malformed_request(http_client): | ||
"""Create a function to make requests with malformed auth headers.""" | ||
|
||
def test_basic_auth_app_id_403_with_query(application, api_client): | ||
"Forbid access if credentials passed wrong way" | ||
client = api_client() | ||
def prepare_request(): | ||
headers = {"Authorization": "Basic test123?"} # Malformed authorization header | ||
return http_client.get("/get", headers=headers) | ||
|
||
client.auth = application.authobj(location="query") | ||
return prepare_request | ||
|
||
response = client.get("/get") | ||
|
||
assert response.status_code == 403 | ||
@pytest.fixture( | ||
scope="module", | ||
params=[ | ||
SystemApicast, | ||
pytest.param(SelfManagedApicast, marks=pytest.mark.required_capabilities(Capability.CUSTOM_ENVIRONMENT)), | ||
], | ||
) | ||
def gateway_kind(request): | ||
"""Gateway class to use for tests""" | ||
return request.param | ||
|
||
|
||
def test_basic_auth_app_id_403_without_auth(api_client): | ||
"Forbid access if no credentials" | ||
@pytest.mark.smoke | ||
def test_basic_auth_success(http_client, valid_auth_headers): | ||
"""Test valid Basic HTTP Auth using app_id and app_key.""" | ||
response = http_client.get("/get", headers=valid_auth_headers) | ||
assert response.status_code == 200, "Valid request failed unexpectedly." | ||
assert response.request.headers["Authorization"] == valid_auth_headers["Authorization"] | ||
|
||
|
||
@pytest.mark.parametrize( | ||
"auth_method, expected_status", | ||
[ | ||
("query", 403), # Credentials passed as query parameters | ||
(None, 403), # No credentials | ||
], | ||
) | ||
def test_basic_auth_failure(api_client, application, auth_method, expected_status): | ||
"""Test forbidden access when credentials are passed incorrectly or missing.""" | ||
client = api_client() | ||
client.auth = application.authobj(location=auth_method) if auth_method else None | ||
response = client.get("/get") | ||
assert response.status_code == expected_status | ||
|
||
client.auth = None | ||
|
||
response = client.get("/get") | ||
@pytest.mark.skipif("TESTED_VERSION < Version('2.14')") | ||
@pytest.mark.issue("https://issues.redhat.com/browse/THREESCALE-11435") | ||
# pylint: disable=unused-argument | ||
def test_basic_auth_malformed_secret(http_client, valid_auth_headers, malformed_request, gateway_kind): | ||
"""Test malformed Basic Auth headers.""" | ||
# Valid request | ||
response = http_client.get("/get", headers=valid_auth_headers) | ||
assert response.status_code == 200, "Valid request failed unexpectedly." | ||
|
||
assert response.status_code == 403 | ||
# Malformed request | ||
malformed_status_code = malformed_request().status_code | ||
assert malformed_status_code == 403, "Malformed request did not return 403 as expected." |