func TestNTLMHTTPClient(t *testing.T) {
// TODO: combine client and server tests so we don't need external server
if len(*testURL) == 0 {
t.Skip("Skipping due to empty \"url\" parameter")
}
cred, err := negotiate.AcquireCurrentUserCredentials()
if err != nil {
t.Fatal(err)
}
defer cred.Release()
secctx, clientToken1, err := negotiate.NewClientContext(cred, "")
if err != nil {
t.Fatal(err)
}
defer secctx.Release()
client := newHTTPClient(*testURL)
defer client.CloseIdleConnections()
err = client.canDoNegotiate()
if err != nil {
t.Fatal(err)
}
serverToken1, err := client.startAuthorization(clientToken1)
if err != nil {
t.Fatal(err)
}
authCompleted, clientToken2, err := secctx.Update(serverToken1)
if err != nil {
t.Fatal(err)
}
if len(clientToken2) == 0 {
t.Fatal("secctx.Update returns empty token for the peer, but our authentication is not done yet")
}
res, _, err := client.completeAuthorization(clientToken2)
if err != nil {
t.Fatal(err)
}
if authCompleted {
return
}
serverToken2, err := findAuthHeader(res)
if err != nil {
t.Fatal(err)
}
authCompleted, lastToken, err := secctx.Update(serverToken2)
if err != nil {
t.Fatal(err)
}
if !authCompleted {
t.Fatal("client authentication should be completed now")
}
if len(lastToken) > 0 {
t.Fatalf("last token supposed to be empty, but %v returned", lastToken)
}
}
func TestKerberosHTTPClient(t *testing.T) {
// TODO: combine client and server tests so we don't need external server
if len(*testURL) == 0 {
t.Skip("Skipping due to empty \"url\" parameter")
}
u, err := url.Parse(*testURL)
if err != nil {
t.Fatal(err)
}
targetName := "http/" + strings.ToUpper(u.Host)
cred, err := negotiate.AcquireCurrentUserCredentials()
if err != nil {
t.Fatal(err)
}
defer cred.Release()
secctx, token, err := negotiate.NewClientContext(cred, targetName)
if err != nil {
t.Fatal(err)
}
defer secctx.Release()
client := newHTTPClient(*testURL)
defer client.CloseIdleConnections()
err = client.canDoNegotiate()
if err != nil {
t.Fatal(err)
}
res, _, err := client.completeAuthorization(token)
if err != nil {
t.Fatal(err)
}
serverToken, err := findAuthHeader(res)
if err != nil {
t.Fatal(err)
}
authCompleted, lastToken, err := secctx.Update(serverToken)
if err != nil {
t.Fatal(err)
}
if !authCompleted {
t.Fatal("client authentication should be completed now")
}
if len(lastToken) > 0 {
t.Fatalf("last token supposed to be empty, but %v returned", lastToken)
}
}
func testNegotiate(t *testing.T, clientCred *sspi.Credentials, SPN string) {
if len(SPN) == 0 {
t.Log("testing with blank SPN")
} else {
t.Logf("testing with SPN=%s", SPN)
}
serverCred, err := negotiate.AcquireServerCredentials()
if err != nil {
t.Fatal(err)
}
defer serverCred.Release()
client, toServerToken, err := negotiate.NewClientContext(clientCred, SPN)
if err != nil {
t.Fatal(err)
}
defer client.Release()
if len(toServerToken) == 0 {
t.Fatal("token for server cannot be empty")
}
t.Logf("sent %d bytes to server", len(toServerToken))
testContextExpiry(t, "clent security context", client)
server, toClientToken, err := negotiate.NewServerContext(serverCred, toServerToken)
if err != nil {
t.Fatal(err)
}
defer server.Release()
testContextExpiry(t, "server security context", server)
var clientDone, serverDone bool
for {
if len(toClientToken) == 0 {
break
}
t.Logf("sent %d bytes to client", len(toClientToken))
clientDone, toServerToken, err = client.Update(toClientToken)
if err != nil {
t.Fatal(err)
}
if len(toServerToken) == 0 {
break
}
t.Logf("sent %d bytes to server", len(toServerToken))
serverDone, toClientToken, err = server.Update(toServerToken)
if err != nil {
t.Fatal(err)
}
}
if !clientDone {
t.Fatal("client authentication should be completed now")
}
if !serverDone {
t.Fatal("server authentication should be completed now")
}
runtime.LockOSThread()
defer runtime.UnlockOSThread()
err = server.ImpersonateUser()
if err != nil {
t.Fatal(err)
}
defer server.RevertToSelf()
_, err = user.Current()
if err != nil {
t.Fatal(err)
}
}
func TestNegotiateFailure(t *testing.T) {
clientCred, err := negotiate.AcquireCurrentUserCredentials()
if err != nil {
t.Fatal(err)
}
defer clientCred.Release()
serverCred, err := negotiate.AcquireServerCredentials()
if err != nil {
t.Fatal(err)
}
defer serverCred.Release()
client, toServerToken, err := negotiate.NewClientContext(clientCred, "HOST/UNKNOWN_HOST_NAME")
if err != nil {
t.Fatal(err)
}
defer client.Release()
if len(toServerToken) == 0 {
t.Fatal("token for server cannot be empty")
}
t.Logf("sent %d bytes to server", len(toServerToken))
server, toClientToken, err := negotiate.NewServerContext(serverCred, toServerToken)
if err != nil {
t.Fatal(err)
}
defer server.Release()
for {
var clientDone, serverDone bool
if len(toClientToken) == 0 {
t.Fatal("token for client cannot be empty")
}
t.Logf("sent %d bytes to client", len(toClientToken))
clientDone, toServerToken, err = client.Update(toClientToken)
if err != nil {
t.Fatal(err)
}
t.Logf("clientDone=%v serverDone=%v", clientDone, serverDone)
if clientDone {
// t.Fatal("client authentication cannot be completed")
}
if len(toServerToken) == 0 {
t.Fatal("token for server cannot be empty")
}
t.Logf("sent %d bytes to server", len(toServerToken))
serverDone, toClientToken, err = server.Update(toServerToken)
if err != nil {
if err == sspi.SEC_E_LOGON_DENIED {
return
}
t.Fatalf("unexpected failure 0x%x: %v", uintptr(err.(syscall.Errno)), err)
}
t.Logf("clientDone=%v serverDone=%v", clientDone, serverDone)
if serverDone {
t.Fatal("server authentication cannot be completed")
}
}
}