Add test for basic auth with two different users over the same connection

Make sure each request is authenticated according to given credentials
even when GssapiConnectionBound is set.

Reviewed-by: Simo Sorce <simo@redhat.com>

Author: iboukris

tests/httpd.conf

@@ -62,13 +62,14 @@ LoadModule unixd_module modules/mod_unixd.so
 LoadModule userdir_module modules/mod_userdir.so
 LoadModule version_module modules/mod_version.so
 LoadModule vhost_alias_module modules/mod_vhost_alias.so
-
 LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
 
 LoadModule auth_gssapi_module mod_auth_gssapi.so
 
 
 <Directory />
+    Options +Includes
+    AddOutputFilter INCLUDES .html
     AllowOverride none
     Require all denied
 </Directory>
@@ -117,6 +118,7 @@ IncludeOptional conf.d/*.conf
 
 CoreDumpDirectory /tmp
 
+
 <Location /spnego>
   AuthType GSSAPI
   AuthName "Login"
@@ -133,6 +135,8 @@ CoreDumpDirectory /tmp
 </Location>
 
 <Location /basic_auth_krb5>
+  Options +Includes
+  AddOutputFilter INCLUDES .html
   AuthType GSSAPI
   AuthName "Password Login"
   GssapiSSLonly Off
@@ -141,6 +145,7 @@ CoreDumpDirectory /tmp
   GssapiCredStore keytab:${HTTPROOT}/http.keytab
   GssapiBasicAuth On
   GssapiBasicAuthMech krb5
+  GssapiConnectionBound On
   Require valid-user
 </Location>
 

tests/index.html

@@ -1 +1 @@
-WORKS
+<!--#echo var="GSS_NAME" -->

tests/magtests.py

@@ -73,8 +73,8 @@ def setup_wrappers(base):
   }
 
 [domain_realm]
-  .mag.dev = MAG.DEV
-  mag.dev = MAG.DEV
+  .mag.dev = ${TESTREALM}
+  mag.dev = ${TESTREALM}
 
 [dbmodules]
   ${TESTREALM} = {
@@ -167,6 +167,8 @@ def kadmin_local(cmd, env, logfile):
 
 USR_NAME = "maguser"
 USR_PWD = "magpwd"
+USR_NAME_2 = "maguser2"
+USR_PWD_2 = "magpwd2"
 SVC_KTNAME = "httpd/http.keytab"
 KEY_TYPE = "aes256-cts-hmac-sha1-96:normal"
 
@@ -188,6 +190,10 @@ def setup_keys(tesdir, env):
     with (open(testlog, 'a')) as logfile:
         kadmin_local(cmd, env, logfile)
 
+    cmd = "addprinc -pw %s -e %s %s" % (USR_PWD_2, KEY_TYPE, USR_NAME_2)
+    with (open(testlog, 'a')) as logfile:
+        kadmin_local(cmd, env, logfile)
+
     keys_env = { "KRB5_KTNAME": svc_keytab }
     keys_env.update(env)
 
@@ -280,6 +286,16 @@ def test_basic_auth_krb5(testdir, testenv, testlog):
         else:
             sys.stderr.write('BASIC-AUTH: SUCCESS\n')
 
+    with (open(testlog, 'a')) as logfile:
+        basick5 = subprocess.Popen(["tests/t_basic_k5_two_users.py"],
+                                   stdout=logfile, stderr=logfile,
+                                   env=testenv, preexec_fn=os.setsid)
+        basick5.wait()
+        if basick5.returncode != 0:
+            sys.stderr.write('BASIC-AUTH Two Users: FAILED\n')
+        else:
+            sys.stderr.write('BASIC-AUTH Two Users: SUCCESS\n')
+
 
 if __name__ == '__main__':
 
@@ -310,7 +326,9 @@ def test_basic_auth_krb5(testdir, testenv, testlog):
 
 
         testenv = {'MAG_USER_NAME': USR_NAME,
-                   'MAG_USER_PASSWORD': USR_PWD}
+                   'MAG_USER_PASSWORD': USR_PWD,
+                   'MAG_USER_NAME_2': USR_NAME_2,
+                   'MAG_USER_PASSWORD_2': USR_PWD_2}
         testenv.update(kdcenv)
         test_basic_auth_krb5(testdir, testenv, testlog)
 

tests/t_basic_k5_two_users.py

@@ -0,0 +1,27 @@
+#!/usr/bin/python
+# Copyright (C) 2015 - mod_auth_gssapi contributors, see COPYING for license.
+
+import os
+import requests
+from requests.auth import HTTPBasicAuth
+
+
+if __name__ == '__main__':
+    s = requests.Session()
+
+    url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME'],
+                                                os.environ['MAG_USER_PASSWORD'],
+                                                os.environ['NSS_WRAPPER_HOSTNAME'])
+    r = s.get(url)
+    if r.status_code != 200:
+        raise ValueError('Basic Auth Failed')
+
+    url = 'http://%s:%s@%s/basic_auth_krb5/' % (os.environ['MAG_USER_NAME_2'],
+                                                os.environ['MAG_USER_PASSWORD_2'],
+                                                os.environ['NSS_WRAPPER_HOSTNAME'])
+    r2 = s.get(url)
+    if r2.status_code != 200:
+        raise ValueError('Basic Auth failed')
+
+    if r.text == r2.text:
+         raise ValueError('Basic Auth fatal error')