mirrors/flexisip-account-manager
1
0
Fork 0
mirror of https://gitlab.linphone.org/BC/public/flexisip-account-manager.git synced 2026-01-17 10:08:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
flexisip-account-manager/flexiapi/tests/Feature/ApiAuthenticationTest.php
Timothée Jaussoin a3861304cc Fix FLEXIAPI-284 Add configurable admin API Keys
2025-04-10 09:11:26 +00:00

250 lines
9 KiB
PHP
Raw Blame History

<?php
/*
Flexisip Account Manager is a set of tools to manage SIP accounts.
Copyright (C) 2020 Belledonne Communications SARL, All rights reserved.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
namespace Tests\Feature;
use App\Password;
use App\Space;
use Tests\TestCase;
class ApiAuthenticationTest extends TestCase
{
protected $route = '/api/accounts/me';
protected $method = 'GET';
public function testMandatoryFrom()
{
Password::factory()->create();
$response = $this->json($this->method, $this->route);
$response->assertStatus(401);
}
public function testWrongFrom()
{
Password::factory()->create();
$response = $this->withHeaders([
'From' => 'sip:missing@username',
])->json($this->method, $this->route);
$response->assertStatus(404);
}
public function testAuthenticate()
{
$password = Password::factory()->create();
$response = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
])->json($this->method, $this->route);
$response->assertStatus(401);
}
public function testAuthenticateWithKey()
{
$password = Password::factory()->create();
$password->account->generateUserApiKey();
$response = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'x-api-key' => $password->account->apiKey->key,
])->json($this->method, $this->route);
$response->assertStatus(200);
}
public function testMultiHash()
{
// Two password and we link the second to the first related account
$passwordMD5 = Password::factory()->create();
$passwordSHA256 = Password::factory()->sha256()->make();
$passwordSHA256->account_id = $passwordMD5->account_id;
$passwordSHA256->save();
$response = $this->withHeaders([
'From' => 'sip:'.$passwordMD5->account->identifier,
])->json($this->method, $this->route);
$response->assertStatus(401);
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][1]);
}
public function testReplayNonce()
{
$password = Password::factory()->create();
$response0 = $this->generateFirstResponse($password);
$response1 = $this->generateSecondResponse($password, $response0)
->json($this->method, $this->route);
$response1->assertStatus(200);
// We increment the nc
$response2 = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response1, 'md5', '00000002'),
])->json($this->method, $this->route);
$response2->assertStatus(200);
// We don't increment it
$response3 = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response2, 'md5', '00000002'),
])->json($this->method, $this->route);
$response3->assertSee('Nonce replayed');
$response3->assertStatus(401);
}
public function testClearedNonce()
{
$password = Password::factory()->create();
$response1 = $this->generateFirstResponse($password);
$response2 = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response1, 'md5', '00000001'),
])->json($this->method, $this->route);
$response2->assertStatus(200);
// We remove the account related nonce
$password->account->nonces()->first()->delete();
$response3 = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response2, 'md5', '00000002'),
])->json($this->method, $this->route);
$response3->assertSee('Nonce invalid');
$response3->assertStatus(401);
$this->assertStringContainsString('algorithm=MD5', $response3->headers->all()['www-authenticate'][0]);
}
public function testAuthenticationMD5()
{
$password = Password::factory()->create();
$response = $this->generateFirstResponse($password);
$response = $this->generateSecondResponse($password, $response)
->json($this->method, $this->route);
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
$response->assertStatus(200);
}
public function testAuthenticationSHA265()
{
$password = Password::factory()->sha256()->create();
$response = $this->generateFirstResponse($password);
$response = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response, 'sha256'),
])->json($this->method, $this->route);
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][0]);
$response->assertStatus(200);
}
public function testAuthenticationWrongAlgorithm()
{
$password = Password::factory()->sha256()->create();
$response = $this->generateFirstResponse($password);
$response = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response, 'md5'),
])->json($this->method, $this->route);
$response->assertStatus(401);
}
public function testAuthenticationSHA265FromCLRTXT()
{
Space::truncate();
Space::factory()->local()->create();
space(reload: true);
$password = Password::factory()->clrtxt()->create();
$response = $this->generateFirstResponse($password);
// The server is generating all the available hash algorythms
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][1]);
// Let's simulate a local hash for the clear password
$hash = 'sha256';
$password->password = hash(
$hash,
$password->account->username.':'.$password->account->domain.':'.$password->password
);
$response = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response, $hash),
])->json($this->method, $this->route);
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][1]);
$response->assertStatus(200);
}
public function testAuthenticationSHA265FromCLRTXTWithRealm()
{
$realm = 'realm.com';
Space::truncate();
Space::factory()->local()->withRealm($realm)->create();
space(reload: true);
$password = Password::factory()->clrtxt()->create();
$response = $this->generateFirstResponse($password);
// Let's simulate a local hash for the clear password
$hash = 'sha256';
$password->password = hash(
$hash,
$password->account->username.':'.$realm.':'.$password->password
);
$response = $this->withHeaders([
'From' => 'sip:'.$password->account->identifier,
'Authorization' => $this->generateDigest($password, $response, $hash)
])->json($this->method, $this->route);
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][1]);
$response->assertStatus(200);
}
public function testAuthenticationBadPassword()
{
$password = Password::factory()->create();
$response = $this->generateFirstResponse($password);
;
$password->password = 'wrong';
$response = $this->generateSecondResponse($password, $response)
->json($this->method, $this->route);
$response->assertStatus(401);
}
}
Reference in a new issue View git blame Copy permalink