[thirdparty/git.git] / t / t5563-simple-http-auth.sh

#!/bin/sh

test_description='test http auth header and credential helper interop'

. ./test-lib.sh
. "$TEST_DIRECTORY"/lib-httpd.sh

enable_cgipassauth
if ! test_have_prereq CGIPASSAUTH
then
	skip_all="no CGIPassAuth support"
	test_done
fi
start_httpd

test_expect_success 'setup_credential_helper' '
	mkdir "$TRASH_DIRECTORY/bin" &&
	PATH=$PATH:"$TRASH_DIRECTORY/bin" &&
	export PATH &&

	CREDENTIAL_HELPER="$TRASH_DIRECTORY/bin/git-credential-test-helper" &&
	write_script "$CREDENTIAL_HELPER" <<-\EOF
	cmd=$1
	teefile=$cmd-query-temp.cred
	catfile=$cmd-reply.cred
	sed -n -e "/^$/q" -e "p" >>$teefile
	state=$(sed -ne "s/^state\[\]=helper://p" "$teefile")
	if test -z "$state"
	then
		mv "$teefile" "$cmd-query.cred"
	else
		mv "$teefile" "$cmd-query-$state.cred"
		catfile="$cmd-reply-$state.cred"
	fi
	if test "$cmd" = "get"
	then
		cat $catfile
	fi
	EOF
'

set_credential_reply () {
	local suffix="$(test -n "$2" && echo "-$2")"
	cat >"$TRASH_DIRECTORY/$1-reply$suffix.cred"
}

expect_credential_query () {
	local suffix="$(test -n "$2" && echo "-$2")"
	cat >"$TRASH_DIRECTORY/$1-expect$suffix.cred" &&
	test_cmp "$TRASH_DIRECTORY/$1-expect$suffix.cred" \
		 "$TRASH_DIRECTORY/$1-query$suffix.cred"
}

per_test_cleanup () {
	rm -f *.cred &&
	rm -f "$HTTPD_ROOT_PATH"/custom-auth.valid \
	      "$HTTPD_ROOT_PATH"/custom-auth.challenge
}

test_expect_success 'setup repository' '
	test_commit foo &&
	git init --bare "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
	git push --mirror "$HTTPD_DOCUMENT_ROOT_PATH/repo.git"
'

test_expect_success 'access using basic auth' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	username=alice
	password=secret-passwd
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=WWW-Authenticate: Basic realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	protocol=http
	host=$HTTPD_DEST
	username=alice
	password=secret-passwd
	EOF
'

test_expect_success 'access using basic auth via authtype' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	capability[]=authtype
	authtype=Basic
	credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=WWW-Authenticate: Basic realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	GIT_CURL_VERBOSE=1 git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	capability[]=authtype
	authtype=Basic
	credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	protocol=http
	host=$HTTPD_DEST
	EOF
'

test_expect_success 'access using basic auth invalid credentials' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	username=baduser
	password=wrong-passwd
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=WWW-Authenticate: Basic realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query erase <<-EOF
	protocol=http
	host=$HTTPD_DEST
	username=baduser
	password=wrong-passwd
	wwwauth[]=Basic realm="example.com"
	EOF
'

test_expect_success 'access using basic auth with extra challenges' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	username=alice
	password=secret-passwd
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	id=default response=WWW-Authenticate: Basic realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=FooBar param1="value1" param2="value2"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	protocol=http
	host=$HTTPD_DEST
	username=alice
	password=secret-passwd
	EOF
'

test_expect_success 'access using basic auth mixed-case wwwauth header name' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	username=alice
	password=secret-passwd
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=www-authenticate: foobar param1="value1" param2="value2"
	id=default response=WWW-AUTHENTICATE: BEARER authorize_uri="id.example.com" p=1 q=0
	id=default response=WwW-aUtHeNtIcAtE: baSiC realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=foobar param1="value1" param2="value2"
	wwwauth[]=BEARER authorize_uri="id.example.com" p=1 q=0
	wwwauth[]=baSiC realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	protocol=http
	host=$HTTPD_DEST
	username=alice
	password=secret-passwd
	EOF
'

test_expect_success 'access using basic auth with wwwauth header continuations' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	username=alice
	password=secret-passwd
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	# Note that leading and trailing whitespace is important to correctly
	# simulate a continuation/folded header.
	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=WWW-Authenticate: FooBar param1="value1"
	id=default response= param2="value2"
	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com"
	id=default response= p=1
	id=default response= q=0
	id=default response=WWW-Authenticate: Basic realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=FooBar param1="value1" param2="value2"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	protocol=http
	host=$HTTPD_DEST
	username=alice
	password=secret-passwd
	EOF
'

test_expect_success 'access using basic auth with wwwauth header empty continuations' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	username=alice
	password=secret-passwd
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&

	# Note that leading and trailing whitespace is important to correctly
	# simulate a continuation/folded header.
	printf "id=1 status=200\n" >"$CHALLENGE" &&
	printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" &&
	printf "id=default response= \r\n" >>"$CHALLENGE" &&
	printf "id=default response= param2=\"value2\"\r\n" >>"$CHALLENGE" &&
	printf "id=default response=WWW-Authenticate: Bearer authorize_uri=\"id.example.com\"\r\n" >>"$CHALLENGE" &&
	printf "id=default response= p=1\r\n" >>"$CHALLENGE" &&
	printf "id=default response= \r\n" >>"$CHALLENGE" &&
	printf "id=default response= q=0\r\n" >>"$CHALLENGE" &&
	printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"\r\n" >>"$CHALLENGE" &&

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=FooBar param1="value1" param2="value2"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	protocol=http
	host=$HTTPD_DEST
	username=alice
	password=secret-passwd
	EOF
'

test_expect_success 'access using basic auth with wwwauth header mixed line-endings' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	username=alice
	password=secret-passwd
	EOF

	# Basic base64(alice:secret-passwd)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	EOF

	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&

	# Note that leading and trailing whitespace is important to correctly
	# simulate a continuation/folded header.
	printf "id=1 status=200\n" >"$CHALLENGE" &&
	printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" &&
	printf "id=default response= \r\n" >>"$CHALLENGE" &&
	printf "id=default response=\tparam2=\"value2\"\r\n" >>"$CHALLENGE" &&
	printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"" >>"$CHALLENGE" &&

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=FooBar param1="value1" param2="value2"
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	protocol=http
	host=$HTTPD_DEST
	username=alice
	password=secret-passwd
	EOF
'

test_expect_success 'access using bearer auth' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	capability[]=authtype
	authtype=Bearer
	credential=YS1naXQtdG9rZW4=
	EOF

	# Basic base64(a-git-token)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Bearer YS1naXQtdG9rZW4=
	EOF

	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	id=default response=WWW-Authenticate: Basic realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=FooBar param1="value1" param2="value2"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query store <<-EOF
	capability[]=authtype
	authtype=Bearer
	credential=YS1naXQtdG9rZW4=
	protocol=http
	host=$HTTPD_DEST
	EOF
'

test_expect_success 'access using bearer auth with invalid credentials' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	capability[]=authtype
	authtype=Bearer
	credential=incorrect-token
	EOF

	# Basic base64(a-git-token)
	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Bearer YS1naXQtdG9rZW4=
	EOF

	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=200
	id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	id=default response=WWW-Authenticate: Basic realm="example.com"
	EOF

	test_config_global credential.helper test-helper &&
	test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=FooBar param1="value1" param2="value2"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	wwwauth[]=Basic realm="example.com"
	EOF

	expect_credential_query erase <<-EOF
	capability[]=authtype
	authtype=Bearer
	credential=incorrect-token
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=FooBar param1="value1" param2="value2"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	wwwauth[]=Basic realm="example.com"
	EOF
'

test_expect_success 'access using three-legged auth' '
	test_when_finished "per_test_cleanup" &&

	set_credential_reply get <<-EOF &&
	capability[]=authtype
	capability[]=state
	authtype=Multistage
	credential=YS1naXQtdG9rZW4=
	state[]=helper:foobar
	continue=1
	EOF

	set_credential_reply get foobar <<-EOF &&
	capability[]=authtype
	capability[]=state
	authtype=Multistage
	credential=YW5vdGhlci10b2tlbg==
	state[]=helper:bazquux
	EOF

	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	id=1 creds=Multistage YS1naXQtdG9rZW4=
	id=2 creds=Multistage YW5vdGhlci10b2tlbg==
	EOF

	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&

	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	id=1 status=401 response=WWW-Authenticate: Multistage challenge="456"
	id=1 status=401 response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	id=2 status=200
	id=default response=WWW-Authenticate: Multistage challenge="123"
	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	EOF

	test_config_global credential.helper test-helper &&
	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&

	expect_credential_query get <<-EOF &&
	capability[]=authtype
	capability[]=state
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=Multistage challenge="123"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	EOF

	expect_credential_query get foobar <<-EOF &&
	capability[]=authtype
	capability[]=state
	authtype=Multistage
	protocol=http
	host=$HTTPD_DEST
	wwwauth[]=Multistage challenge="456"
	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	state[]=helper:foobar
	EOF

	expect_credential_query store bazquux <<-EOF
	capability[]=authtype
	capability[]=state
	authtype=Multistage
	credential=YW5vdGhlci10b2tlbg==
	protocol=http
	host=$HTTPD_DEST
	state[]=helper:bazquux
	EOF
'

test_done
Commit	Line	Data
988aad99 MJC	1	#!/bin/sh
	2
	3	test_description='test http auth header and credential helper interop'
	4
	5	. ./test-lib.sh
	6	. "$TEST_DIRECTORY"/lib-httpd.sh
	7
eb1c42da JK	8	enable_cgipassauth
	9	if ! test_have_prereq CGIPASSAUTH
	10	then
	11	skip_all="no CGIPassAuth support"
	12	test_done
	13	fi
988aad99 MJC	14	start_httpd
	15
	16	test_expect_success 'setup_credential_helper' '
	17	mkdir "$TRASH_DIRECTORY/bin" &&
	18	PATH=$PATH:"$TRASH_DIRECTORY/bin" &&
	19	export PATH &&
	20
	21	CREDENTIAL_HELPER="$TRASH_DIRECTORY/bin/git-credential-test-helper" &&
	22	write_script "$CREDENTIAL_HELPER" <<-\EOF
	23	cmd=$1
ac4c7cbf	24	teefile=$cmd-query-temp.cred
988aad99 MJC	25	catfile=$cmd-reply.cred
988aad99 MJC	26	sed -n -e "/^$/q" -e "p" >>$teefile
ac4c7cbf	27	state=$(sed -ne "s/^state\[\]=helper://p" "$teefile")
	28	if test -z "$state"
	29	then
	30	mv "$teefile" "$cmd-query.cred"
	31	else
	32	mv "$teefile" "$cmd-query-$state.cred"
	33	catfile="$cmd-reply-$state.cred"
	34	fi
988aad99 MJC	35	if test "$cmd" = "get"
	36	then
	37	cat $catfile
	38	fi
	39	EOF
	40	'
	41
	42	set_credential_reply () {
ac4c7cbf	43	local suffix="$(test -n "$2" && echo "-$2")"
ac4c7cbf	44	cat >"$TRASH_DIRECTORY/$1-reply$suffix.cred"
988aad99 MJC	45	}
	46
	47	expect_credential_query () {
ac4c7cbf	48	local suffix="$(test -n "$2" && echo "-$2")"
	49	cat >"$TRASH_DIRECTORY/$1-expect$suffix.cred" &&
	50	test_cmp "$TRASH_DIRECTORY/$1-expect$suffix.cred" \
	51	"$TRASH_DIRECTORY/$1-query$suffix.cred"
988aad99 MJC	52	}
	53
	54	per_test_cleanup () {
	55	rm -f *.cred &&
	56	rm -f "$HTTPD_ROOT_PATH"/custom-auth.valid \
	57	"$HTTPD_ROOT_PATH"/custom-auth.challenge
	58	}
	59
	60	test_expect_success 'setup repository' '
	61	test_commit foo &&
	62	git init --bare "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
	63	git push --mirror "$HTTPD_DOCUMENT_ROOT_PATH/repo.git"
	64	'
	65
	66	test_expect_success 'access using basic auth' '
	67	test_when_finished "per_test_cleanup" &&
	68
	69	set_credential_reply get <<-EOF &&
	70	username=alice
	71	password=secret-passwd
	72	EOF
	73
	74	# Basic base64(alice:secret-passwd)
	75	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	76	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
988aad99 MJC	77	EOF
	78
	79	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	80	id=1 status=200
37417b77	81	id=default response=WWW-Authenticate: Basic realm="example.com"
988aad99 MJC	82	EOF
	83
	84	test_config_global credential.helper test-helper &&
	85	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	86
	87	expect_credential_query get <<-EOF &&
ad9bb6df	88	capability[]=authtype
36f7d865	89	capability[]=state
988aad99 MJC	90	protocol=http
988aad99 MJC	91	host=$HTTPD_DEST
5f2117b2 MJC	92	wwwauth[]=Basic realm="example.com"
	93	EOF
	94
	95	expect_credential_query store <<-EOF
	96	protocol=http
	97	host=$HTTPD_DEST
	98	username=alice
	99	password=secret-passwd
	100	EOF
	101	'
	102
ad9bb6df	103	test_expect_success 'access using basic auth via authtype' '
	104	test_when_finished "per_test_cleanup" &&
	105
	106	set_credential_reply get <<-EOF &&
	107	capability[]=authtype
	108	authtype=Basic
	109	credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	110	EOF
	111
	112	# Basic base64(alice:secret-passwd)
	113	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	114	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
ad9bb6df	115	EOF
	116
	117	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	118	id=1 status=200
37417b77	119	id=default response=WWW-Authenticate: Basic realm="example.com"
ad9bb6df	120	EOF
	121
	122	test_config_global credential.helper test-helper &&
	123	GIT_CURL_VERBOSE=1 git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	124
	125	expect_credential_query get <<-EOF &&
	126	capability[]=authtype
36f7d865	127	capability[]=state
ad9bb6df	128	protocol=http
	129	host=$HTTPD_DEST
	130	wwwauth[]=Basic realm="example.com"
	131	EOF
	132
	133	expect_credential_query store <<-EOF
	134	capability[]=authtype
	135	authtype=Basic
	136	credential=YWxpY2U6c2VjcmV0LXBhc3N3ZA==
	137	protocol=http
	138	host=$HTTPD_DEST
	139	EOF
	140	'
	141
5f2117b2 MJC	142	test_expect_success 'access using basic auth invalid credentials' '
	143	test_when_finished "per_test_cleanup" &&
	144
	145	set_credential_reply get <<-EOF &&
	146	username=baduser
	147	password=wrong-passwd
	148	EOF
	149
	150	# Basic base64(alice:secret-passwd)
	151	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	152	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
5f2117b2 MJC	153	EOF
	154
	155	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	156	id=1 status=200
37417b77	157	id=default response=WWW-Authenticate: Basic realm="example.com"
5f2117b2 MJC	158	EOF
	159
	160	test_config_global credential.helper test-helper &&
	161	test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	162
	163	expect_credential_query get <<-EOF &&
ad9bb6df	164	capability[]=authtype
36f7d865	165	capability[]=state
5f2117b2 MJC	166	protocol=http
	167	host=$HTTPD_DEST
	168	wwwauth[]=Basic realm="example.com"
	169	EOF
	170
	171	expect_credential_query erase <<-EOF
	172	protocol=http
	173	host=$HTTPD_DEST
	174	username=baduser
	175	password=wrong-passwd
	176	wwwauth[]=Basic realm="example.com"
	177	EOF
	178	'
	179
	180	test_expect_success 'access using basic auth with extra challenges' '
	181	test_when_finished "per_test_cleanup" &&
	182
	183	set_credential_reply get <<-EOF &&
	184	username=alice
	185	password=secret-passwd
	186	EOF
	187
	188	# Basic base64(alice:secret-passwd)
	189	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	190	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
5f2117b2 MJC	191	EOF
	192
	193	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	194	id=1 status=200
	195	id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
	196	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	197	id=default response=WWW-Authenticate: Basic realm="example.com"
5f2117b2 MJC	198	EOF
	199
	200	test_config_global credential.helper test-helper &&
	201	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	202
	203	expect_credential_query get <<-EOF &&
ad9bb6df	204	capability[]=authtype
36f7d865	205	capability[]=state
5f2117b2 MJC	206	protocol=http
	207	host=$HTTPD_DEST
	208	wwwauth[]=FooBar param1="value1" param2="value2"
	209	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	210	wwwauth[]=Basic realm="example.com"
	211	EOF
	212
	213	expect_credential_query store <<-EOF
	214	protocol=http
	215	host=$HTTPD_DEST
	216	username=alice
	217	password=secret-passwd
	218	EOF
	219	'
	220
	221	test_expect_success 'access using basic auth mixed-case wwwauth header name' '
	222	test_when_finished "per_test_cleanup" &&
	223
	224	set_credential_reply get <<-EOF &&
	225	username=alice
	226	password=secret-passwd
	227	EOF
	228
	229	# Basic base64(alice:secret-passwd)
	230	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	231	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
5f2117b2 MJC	232	EOF
	233
	234	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	235	id=1 status=200
	236	id=default response=www-authenticate: foobar param1="value1" param2="value2"
	237	id=default response=WWW-AUTHENTICATE: BEARER authorize_uri="id.example.com" p=1 q=0
	238	id=default response=WwW-aUtHeNtIcAtE: baSiC realm="example.com"
5f2117b2 MJC	239	EOF
	240
	241	test_config_global credential.helper test-helper &&
	242	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	243
	244	expect_credential_query get <<-EOF &&
ad9bb6df	245	capability[]=authtype
36f7d865	246	capability[]=state
5f2117b2 MJC	247	protocol=http
	248	host=$HTTPD_DEST
	249	wwwauth[]=foobar param1="value1" param2="value2"
	250	wwwauth[]=BEARER authorize_uri="id.example.com" p=1 q=0
	251	wwwauth[]=baSiC realm="example.com"
	252	EOF
	253
	254	expect_credential_query store <<-EOF
	255	protocol=http
	256	host=$HTTPD_DEST
	257	username=alice
	258	password=secret-passwd
	259	EOF
	260	'
	261
	262	test_expect_success 'access using basic auth with wwwauth header continuations' '
	263	test_when_finished "per_test_cleanup" &&
	264
	265	set_credential_reply get <<-EOF &&
	266	username=alice
	267	password=secret-passwd
	268	EOF
	269
	270	# Basic base64(alice:secret-passwd)
	271	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	272	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
5f2117b2 MJC	273	EOF
	274
	275	# Note that leading and trailing whitespace is important to correctly
	276	# simulate a continuation/folded header.
	277	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	278	id=1 status=200
	279	id=default response=WWW-Authenticate: FooBar param1="value1"
	280	id=default response= param2="value2"
	281	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com"
	282	id=default response= p=1
	283	id=default response= q=0
	284	id=default response=WWW-Authenticate: Basic realm="example.com"
5f2117b2 MJC	285	EOF
	286
	287	test_config_global credential.helper test-helper &&
	288	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	289
	290	expect_credential_query get <<-EOF &&
ad9bb6df	291	capability[]=authtype
36f7d865	292	capability[]=state
5f2117b2 MJC	293	protocol=http
	294	host=$HTTPD_DEST
	295	wwwauth[]=FooBar param1="value1" param2="value2"
	296	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	297	wwwauth[]=Basic realm="example.com"
	298	EOF
	299
	300	expect_credential_query store <<-EOF
	301	protocol=http
	302	host=$HTTPD_DEST
	303	username=alice
	304	password=secret-passwd
	305	EOF
	306	'
	307
	308	test_expect_success 'access using basic auth with wwwauth header empty continuations' '
	309	test_when_finished "per_test_cleanup" &&
	310
	311	set_credential_reply get <<-EOF &&
	312	username=alice
	313	password=secret-passwd
	314	EOF
	315
	316	# Basic base64(alice:secret-passwd)
	317	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	318	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
5f2117b2 MJC	319	EOF
	320
	321	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
	322
	323	# Note that leading and trailing whitespace is important to correctly
	324	# simulate a continuation/folded header.
37417b77	325	printf "id=1 status=200\n" >"$CHALLENGE" &&
	326	printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" &&
	327	printf "id=default response= \r\n" >>"$CHALLENGE" &&
	328	printf "id=default response= param2=\"value2\"\r\n" >>"$CHALLENGE" &&
	329	printf "id=default response=WWW-Authenticate: Bearer authorize_uri=\"id.example.com\"\r\n" >>"$CHALLENGE" &&
	330	printf "id=default response= p=1\r\n" >>"$CHALLENGE" &&
	331	printf "id=default response= \r\n" >>"$CHALLENGE" &&
	332	printf "id=default response= q=0\r\n" >>"$CHALLENGE" &&
	333	printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"\r\n" >>"$CHALLENGE" &&
5f2117b2 MJC	334
	335	test_config_global credential.helper test-helper &&
	336	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	337
	338	expect_credential_query get <<-EOF &&
ad9bb6df	339	capability[]=authtype
36f7d865	340	capability[]=state
5f2117b2 MJC	341	protocol=http
	342	host=$HTTPD_DEST
	343	wwwauth[]=FooBar param1="value1" param2="value2"
	344	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	345	wwwauth[]=Basic realm="example.com"
	346	EOF
	347
	348	expect_credential_query store <<-EOF
	349	protocol=http
	350	host=$HTTPD_DEST
	351	username=alice
	352	password=secret-passwd
	353	EOF
	354	'
	355
	356	test_expect_success 'access using basic auth with wwwauth header mixed line-endings' '
	357	test_when_finished "per_test_cleanup" &&
	358
	359	set_credential_reply get <<-EOF &&
	360	username=alice
	361	password=secret-passwd
	362	EOF
	363
	364	# Basic base64(alice:secret-passwd)
	365	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	366	id=1 creds=Basic YWxpY2U6c2VjcmV0LXBhc3N3ZA==
5f2117b2 MJC	367	EOF
	368
	369	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
	370
	371	# Note that leading and trailing whitespace is important to correctly
	372	# simulate a continuation/folded header.
37417b77	373	printf "id=1 status=200\n" >"$CHALLENGE" &&
	374	printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" &&
	375	printf "id=default response= \r\n" >>"$CHALLENGE" &&
	376	printf "id=default response=\tparam2=\"value2\"\r\n" >>"$CHALLENGE" &&
	377	printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"" >>"$CHALLENGE" &&
5f2117b2 MJC	378
	379	test_config_global credential.helper test-helper &&
	380	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	381
	382	expect_credential_query get <<-EOF &&
ad9bb6df	383	capability[]=authtype
36f7d865	384	capability[]=state
5f2117b2 MJC	385	protocol=http
	386	host=$HTTPD_DEST
	387	wwwauth[]=FooBar param1="value1" param2="value2"
	388	wwwauth[]=Basic realm="example.com"
988aad99 MJC	389	EOF
	390
	391	expect_credential_query store <<-EOF
	392	protocol=http
	393	host=$HTTPD_DEST
	394	username=alice
	395	password=secret-passwd
	396	EOF
	397	'
	398
ad9bb6df	399	test_expect_success 'access using bearer auth' '
	400	test_when_finished "per_test_cleanup" &&
	401
	402	set_credential_reply get <<-EOF &&
	403	capability[]=authtype
	404	authtype=Bearer
	405	credential=YS1naXQtdG9rZW4=
	406	EOF
	407
	408	# Basic base64(a-git-token)
	409	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	410	id=1 creds=Bearer YS1naXQtdG9rZW4=
ad9bb6df	411	EOF
	412
	413	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
	414
	415	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	416	id=1 status=200
	417	id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
	418	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	419	id=default response=WWW-Authenticate: Basic realm="example.com"
ad9bb6df	420	EOF
	421
	422	test_config_global credential.helper test-helper &&
	423	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	424
	425	expect_credential_query get <<-EOF &&
	426	capability[]=authtype
36f7d865	427	capability[]=state
ad9bb6df	428	protocol=http
	429	host=$HTTPD_DEST
	430	wwwauth[]=FooBar param1="value1" param2="value2"
	431	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	432	wwwauth[]=Basic realm="example.com"
	433	EOF
	434
	435	expect_credential_query store <<-EOF
	436	capability[]=authtype
	437	authtype=Bearer
	438	credential=YS1naXQtdG9rZW4=
	439	protocol=http
	440	host=$HTTPD_DEST
	441	EOF
	442	'
	443
	444	test_expect_success 'access using bearer auth with invalid credentials' '
	445	test_when_finished "per_test_cleanup" &&
	446
	447	set_credential_reply get <<-EOF &&
	448	capability[]=authtype
	449	authtype=Bearer
	450	credential=incorrect-token
	451	EOF
	452
	453	# Basic base64(a-git-token)
	454	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
37417b77	455	id=1 creds=Bearer YS1naXQtdG9rZW4=
ad9bb6df	456	EOF
	457
	458	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
	459
	460	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
37417b77	461	id=1 status=200
	462	id=default response=WWW-Authenticate: FooBar param1="value1" param2="value2"
	463	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	464	id=default response=WWW-Authenticate: Basic realm="example.com"
ad9bb6df	465	EOF
	466
	467	test_config_global credential.helper test-helper &&
	468	test_must_fail git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	469
	470	expect_credential_query get <<-EOF &&
	471	capability[]=authtype
36f7d865	472	capability[]=state
ad9bb6df	473	protocol=http
	474	host=$HTTPD_DEST
	475	wwwauth[]=FooBar param1="value1" param2="value2"
	476	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	477	wwwauth[]=Basic realm="example.com"
	478	EOF
	479
	480	expect_credential_query erase <<-EOF
	481	capability[]=authtype
	482	authtype=Bearer
	483	credential=incorrect-token
	484	protocol=http
	485	host=$HTTPD_DEST
	486	wwwauth[]=FooBar param1="value1" param2="value2"
	487	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	488	wwwauth[]=Basic realm="example.com"
	489	EOF
	490	'
	491
ac4c7cbf	492	test_expect_success 'access using three-legged auth' '
	493	test_when_finished "per_test_cleanup" &&
	494
	495	set_credential_reply get <<-EOF &&
	496	capability[]=authtype
	497	capability[]=state
	498	authtype=Multistage
	499	credential=YS1naXQtdG9rZW4=
	500	state[]=helper:foobar
	501	continue=1
	502	EOF
	503
	504	set_credential_reply get foobar <<-EOF &&
	505	capability[]=authtype
	506	capability[]=state
	507	authtype=Multistage
	508	credential=YW5vdGhlci10b2tlbg==
	509	state[]=helper:bazquux
	510	EOF
	511
	512	cat >"$HTTPD_ROOT_PATH/custom-auth.valid" <<-EOF &&
	513	id=1 creds=Multistage YS1naXQtdG9rZW4=
	514	id=2 creds=Multistage YW5vdGhlci10b2tlbg==
	515	EOF
	516
	517	CHALLENGE="$HTTPD_ROOT_PATH/custom-auth.challenge" &&
	518
	519	cat >"$HTTPD_ROOT_PATH/custom-auth.challenge" <<-EOF &&
	520	id=1 status=401 response=WWW-Authenticate: Multistage challenge="456"
	521	id=1 status=401 response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	522	id=2 status=200
	523	id=default response=WWW-Authenticate: Multistage challenge="123"
	524	id=default response=WWW-Authenticate: Bearer authorize_uri="id.example.com" p=1 q=0
	525	EOF
	526
	527	test_config_global credential.helper test-helper &&
	528	git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&
	529
	530	expect_credential_query get <<-EOF &&
	531	capability[]=authtype
	532	capability[]=state
	533	protocol=http
	534	host=$HTTPD_DEST
	535	wwwauth[]=Multistage challenge="123"
	536	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	537	EOF
	538
	539	expect_credential_query get foobar <<-EOF &&
	540	capability[]=authtype
	541	capability[]=state
	542	authtype=Multistage
	543	protocol=http
	544	host=$HTTPD_DEST
	545	wwwauth[]=Multistage challenge="456"
	546	wwwauth[]=Bearer authorize_uri="id.example.com" p=1 q=0
	547	state[]=helper:foobar
	548	EOF
	549
	550	expect_credential_query store bazquux <<-EOF
	551	capability[]=authtype
	552	capability[]=state
	553	authtype=Multistage
	554	credential=YW5vdGhlci10b2tlbg==
	555	protocol=http
556	host=$HTTPD_DEST
557	state[]=helper:bazquux
558	EOF
559	'
560
988aad99	561	test_done