nginx-tests: auth_request.t comparison

comparison auth_request.t @ 322:67c348ba1768

Tests: auth request tests import.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Wed, 21 Aug 2013 19:22:06 +0400
parents
children	d48de852157c

comparison

equal deleted inserted replaced

-:f98e8674361b
+:67c348ba1768
+#!/usr/bin/perl
+# (C) Maxim Dounin
+# Tests for auth request module.
+###############################################################################
+use warnings;
+use strict;
+use Socket qw/ CRLF /;
+use Test::More;
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+use lib 'lib';
+use Test::Nginx;
+###############################################################################
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+my $t = Test::Nginx->new()
+	->has(qw/http rewrite proxy fastcgi auth_basic auth_request/)
+	->plan(18);
+$t->write_file_expand('nginx.conf', <<'EOF');
+%%TEST_GLOBALS%%
+master_process off;
+daemon         off;
+events {
+}
+http {
+%%TEST_GLOBALS_HTTP%%
+server {
+listen       127.0.0.1:8080;
+server_name  localhost;
+location / {
+return 444;
+}
+location /open {
+auth_request /auth-open;
+}
+location = /auth-open {
+return 204;
+}
+location /open-static {
+auth_request /auth-open-static;
+}
+location = /auth-open-static {
+# nothing, use static file
+}
+location /unauthorized {
+auth_request /auth-unauthorized;
+}
+location = /auth-unauthorized {
+return 401;
+}
+location /forbidden {
+auth_request /auth-forbidden;
+}
+location = /auth-forbidden {
+return 403;
+}
+location /error {
+auth_request /auth-error;
+}
+location = /auth-error {
+return 404;
+}
+location /off {
+auth_request off;
+}
+location /proxy {
+auth_request /auth-proxy;
+}
+location = /auth-proxy {
+proxy_pass http://127.0.0.1:8080/auth-basic;
+proxy_pass_request_body off;
+proxy_set_header Content-Length "";
+}
+location = /auth-basic {
+auth_basic "restricted";
+auth_basic_user_file %%TESTDIR%%/htpasswd;
+}
+location = /proxy-double {
+proxy_pass http://127.0.0.1:8080/auth-error;
+proxy_intercept_errors on;
+error_page 404 = /proxy-double-fallback;
+client_body_buffer_size 4k;
+}
+location = /proxy-double-fallback {
+auth_request /auth-proxy-double;
+proxy_pass http://127.0.0.1:8080/auth-open;
+}
+location = /auth-proxy-double {
+proxy_pass http://127.0.0.1:8080/auth-open;
+proxy_pass_request_body off;
+proxy_set_header Content-Length "";
+}
+location /fastcgi {
+auth_request /auth-fastcgi;
+}
+location = /auth-fastcgi {
+fastcgi_pass 127.0.0.1:8081;
+fastcgi_pass_request_body off;
+}
+}
+}
+EOF
+$t->write_file('htpasswd', 'user:zz1T8N4tWvmbE' . "\n");
+$t->write_file('auth-basic', 'INVISIBLE');
+$t->write_file('auth-open-static', 'INVISIBLE');
+$t->run();
+###############################################################################
+pass('runs');
+like(http_get('/open'), qr/ 404 /, 'auth open');
+like(http_get('/unauthorized'), qr/ 401 /, 'auth unauthorized');
+like(http_get('/forbidden'), qr/ 403 /, 'auth forbidden');
+like(http_get('/error'), qr/ 500 /, 'auth error');
+like(http_get('/off'), qr/ 404 /, 'auth off');
+like(http_post('/open'), qr/ 404 /, 'auth post open');
+like(http_post('/unauthorized'), qr/ 401 /, 'auth post unauthorized');
+like(http_get('/open-static'), qr/ 404 /, 'auth open static');
+unlike(http_get('/open-static'), qr/INVISIBLE/, 'auth static no content');
+like(http_get('/proxy'), qr/ 401 /, 'proxy auth unauthorized');
+like(http_get('/proxy'), qr/WWW-Authenticate: Basic realm="restricted"/,
+	'proxy auth has www-authenticate');
+like(http_get_auth('/proxy'), qr/ 404 /, 'proxy auth pass');
+unlike(http_get_auth('/proxy'), qr/INVISIBLE/, 'proxy auth no content');
+like(http_post('/proxy'), qr/ 401 /, 'proxy auth post');
+# Consider the following scenario:
+#
+# 1. proxy_pass reads request body, then goes to fallback via error_page
+# 2. auth request uses proxy_pass, and upstream module closes request body file
+#    in ngx_http_upstream_send_response()
+# 3. oops: fallback has no body
+#
+# To prevent this we always allocate fake request body for auth request.
+#
+# Note that this doesn't happen when using header_only as relevant code
+# in ngx_http_upstream_send_response() isn't reached.  It may be reached
+# with proxy_cache or proxy_store, but they will shutdown client connection
+# in case of header_only and hence do not work for us at all.
+like(http_post_big('/proxy-double'), qr/ 204 /, 'proxy auth with body read');
+SKIP: {
+	eval { require FCGI; };
+	skip 'FCGI not installed', 2 if $@;
+	$t->run_daemon(\&fastcgi_daemon);
+	$t->waitforsocket('127.0.0.1:8081');
+	like(http_get('/fastcgi'), qr/ 404 /, 'fastcgi auth open');
+	unlike(http_get('/fastcgi'), qr/INVISIBLE/, 'fastcgi auth no content');
+}
+###############################################################################
+sub http_get_auth {
+my ($url, %extra) = @_;
+return http(<<EOF, %extra);
+GET $url HTTP/1.0
+Host: localhost
+Authorization: Basic dXNlcjpzZWNyZXQ=
+EOF
+}
+sub http_post {
+	my ($url, %extra) = @_;
+	my $p = "POST $url HTTP/1.0" . CRLF .
+		"Host: localhost" . CRLF .
+		"Content-Length: 10" . CRLF .
+		CRLF .
+		"1234567890";
+	return http($p, %extra);
+}
+sub http_post_big {
+	my ($url, %extra) = @_;
+	my $p = "POST $url HTTP/1.0" . CRLF .
+		"Host: localhost" . CRLF .
+		"Content-Length: 10240" . CRLF .
+		CRLF .
+		("1234567890" x 1024);
+	return http($p, %extra);
+}
+###############################################################################
+sub fastcgi_daemon {
+	my $socket = FCGI::OpenSocket('127.0.0.1:8081', 5);
+	my $request = FCGI::Request(\*STDIN, \*STDOUT, \*STDERR, \%ENV,
+		$socket);
+	while ($request->Accept() >= 0) {
+		print <<EOF;
+Content-Type: text/html
+INVISIBLE
+EOF
+	}
+	FCGI::CloseSocket($socket);
+}
+###############################################################################

Mercurial > hg > nginx-tests

comparison auth_request.t @ 322:67c348ba1768