Exemple #1
0
func TestNTLMHTTPClient(t *testing.T) {
	// TODO: combine client and server tests so we don't need external server
	if len(*testURL) == 0 {
		t.Skip("Skipping due to empty \"url\" parameter")
	}

	cred, err := negotiate.AcquireCurrentUserCredentials()
	if err != nil {
		t.Fatal(err)
	}
	defer cred.Release()

	secctx, clientToken1, err := negotiate.NewClientContext(cred, "")
	if err != nil {
		t.Fatal(err)
	}
	defer secctx.Release()

	client := newHTTPClient(*testURL)
	defer client.CloseIdleConnections()

	err = client.canDoNegotiate()
	if err != nil {
		t.Fatal(err)
	}
	serverToken1, err := client.startAuthorization(clientToken1)
	if err != nil {
		t.Fatal(err)
	}
	authCompleted, clientToken2, err := secctx.Update(serverToken1)
	if err != nil {
		t.Fatal(err)
	}
	if len(clientToken2) == 0 {
		t.Fatal("secctx.Update returns empty token for the peer, but our authentication is not done yet")
	}
	res, _, err := client.completeAuthorization(clientToken2)
	if err != nil {
		t.Fatal(err)
	}
	if authCompleted {
		return
	}
	serverToken2, err := findAuthHeader(res)
	if err != nil {
		t.Fatal(err)
	}
	authCompleted, lastToken, err := secctx.Update(serverToken2)
	if err != nil {
		t.Fatal(err)
	}
	if !authCompleted {
		t.Fatal("client authentication should be completed now")
	}
	if len(lastToken) > 0 {
		t.Fatalf("last token supposed to be empty, but %v returned", lastToken)
	}
}
Exemple #2
0
func TestKerberosHTTPClient(t *testing.T) {
	// TODO: combine client and server tests so we don't need external server
	if len(*testURL) == 0 {
		t.Skip("Skipping due to empty \"url\" parameter")
	}

	u, err := url.Parse(*testURL)
	if err != nil {
		t.Fatal(err)
	}
	targetName := "http/" + strings.ToUpper(u.Host)

	cred, err := negotiate.AcquireCurrentUserCredentials()
	if err != nil {
		t.Fatal(err)
	}
	defer cred.Release()

	secctx, token, err := negotiate.NewClientContext(cred, targetName)
	if err != nil {
		t.Fatal(err)
	}
	defer secctx.Release()

	client := newHTTPClient(*testURL)
	defer client.CloseIdleConnections()

	err = client.canDoNegotiate()
	if err != nil {
		t.Fatal(err)
	}
	res, _, err := client.completeAuthorization(token)
	if err != nil {
		t.Fatal(err)
	}
	serverToken, err := findAuthHeader(res)
	if err != nil {
		t.Fatal(err)
	}
	authCompleted, lastToken, err := secctx.Update(serverToken)
	if err != nil {
		t.Fatal(err)
	}
	if !authCompleted {
		t.Fatal("client authentication should be completed now")
	}
	if len(lastToken) > 0 {
		t.Fatalf("last token supposed to be empty, but %v returned", lastToken)
	}
}
Exemple #3
0
func testNegotiate(t *testing.T, clientCred *sspi.Credentials, SPN string) {
	if len(SPN) == 0 {
		t.Log("testing with blank SPN")
	} else {
		t.Logf("testing with SPN=%s", SPN)
	}

	serverCred, err := negotiate.AcquireServerCredentials()
	if err != nil {
		t.Fatal(err)
	}
	defer serverCred.Release()

	client, toServerToken, err := negotiate.NewClientContext(clientCred, SPN)
	if err != nil {
		t.Fatal(err)
	}
	defer client.Release()

	if len(toServerToken) == 0 {
		t.Fatal("token for server cannot be empty")
	}
	t.Logf("sent %d bytes to server", len(toServerToken))

	testContextExpiry(t, "clent security context", client)

	server, toClientToken, err := negotiate.NewServerContext(serverCred, toServerToken)
	if err != nil {
		t.Fatal(err)
	}
	defer server.Release()

	testContextExpiry(t, "server security context", server)

	var clientDone, serverDone bool
	for {
		if len(toClientToken) == 0 {
			break
		}
		t.Logf("sent %d bytes to client", len(toClientToken))
		clientDone, toServerToken, err = client.Update(toClientToken)
		if err != nil {
			t.Fatal(err)
		}
		if len(toServerToken) == 0 {
			break
		}
		t.Logf("sent %d bytes to server", len(toServerToken))
		serverDone, toClientToken, err = server.Update(toServerToken)
		if err != nil {
			t.Fatal(err)
		}
	}
	if !clientDone {
		t.Fatal("client authentication should be completed now")
	}
	if !serverDone {
		t.Fatal("server authentication should be completed now")
	}

	runtime.LockOSThread()
	defer runtime.UnlockOSThread()

	err = server.ImpersonateUser()
	if err != nil {
		t.Fatal(err)
	}
	defer server.RevertToSelf()

	_, err = user.Current()
	if err != nil {
		t.Fatal(err)
	}
}
Exemple #4
0
func TestNegotiateFailure(t *testing.T) {
	clientCred, err := negotiate.AcquireCurrentUserCredentials()
	if err != nil {
		t.Fatal(err)
	}
	defer clientCred.Release()

	serverCred, err := negotiate.AcquireServerCredentials()
	if err != nil {
		t.Fatal(err)
	}
	defer serverCred.Release()

	client, toServerToken, err := negotiate.NewClientContext(clientCred, "HOST/UNKNOWN_HOST_NAME")
	if err != nil {
		t.Fatal(err)
	}
	defer client.Release()

	if len(toServerToken) == 0 {
		t.Fatal("token for server cannot be empty")
	}
	t.Logf("sent %d bytes to server", len(toServerToken))

	server, toClientToken, err := negotiate.NewServerContext(serverCred, toServerToken)
	if err != nil {
		t.Fatal(err)
	}
	defer server.Release()

	for {
		var clientDone, serverDone bool
		if len(toClientToken) == 0 {
			t.Fatal("token for client cannot be empty")
		}
		t.Logf("sent %d bytes to client", len(toClientToken))
		clientDone, toServerToken, err = client.Update(toClientToken)
		if err != nil {
			t.Fatal(err)
		}
		t.Logf("clientDone=%v serverDone=%v", clientDone, serverDone)
		if clientDone {
			//			t.Fatal("client authentication cannot be completed")
		}
		if len(toServerToken) == 0 {
			t.Fatal("token for server cannot be empty")
		}
		t.Logf("sent %d bytes to server", len(toServerToken))
		serverDone, toClientToken, err = server.Update(toServerToken)
		if err != nil {
			if err == sspi.SEC_E_LOGON_DENIED {
				return
			}
			t.Fatalf("unexpected failure 0x%x: %v", uintptr(err.(syscall.Errno)), err)
		}
		t.Logf("clientDone=%v serverDone=%v", clientDone, serverDone)
		if serverDone {
			t.Fatal("server authentication cannot be completed")
		}
	}
}