mirror of
https://gitlab.linphone.org/BC/public/flexisip-account-manager.git
synced 2026-01-17 10:08:05 +00:00
267 lines
9.5 KiB
PHP
267 lines
9.5 KiB
PHP
<?php
|
|
/*
|
|
Flexisip Account Manager is a set of tools to manage SIP accounts.
|
|
Copyright (C) 2019 Belledonne Communications SARL, All rights reserved.
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as
|
|
published by the Free Software Foundation, either version 3 of the
|
|
License, or (at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
namespace Tests\Feature;
|
|
|
|
use App\Helpers\Utils;
|
|
use App\Password;
|
|
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Foundation\Testing\WithFaker;
|
|
use Tests\TestCase;
|
|
|
|
class AuthenticateDigestTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
const ROUTE = '/api/ping';
|
|
const METHOD = 'GET';
|
|
const ALGORITHMS = ['md5' => 'MD5', 'sha256' => 'SHA-256'];
|
|
|
|
public function testMandatoryFrom()
|
|
{
|
|
$password = factory(Password::class)->create();
|
|
$response = $this->json(self::METHOD, self::ROUTE);
|
|
$response->assertStatus(422);
|
|
}
|
|
|
|
public function testWrongFrom()
|
|
{
|
|
$password = factory(Password::class)->create();
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:missing@username',
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response->assertStatus(404);
|
|
}
|
|
|
|
public function testAuthenticate()
|
|
{
|
|
$password = factory(Password::class)->create();
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
])->json(self::METHOD, self::ROUTE);
|
|
$response->assertStatus(401);
|
|
}
|
|
|
|
public function testMultiHash()
|
|
{
|
|
// Two password and we link the second to the first related account
|
|
$passwordMD5 = factory(Password::class)->create();
|
|
$passwordSHA256 = factory(Password::class)->states('sha256')->make();
|
|
$passwordSHA256->account_id = $passwordMD5->account_id;
|
|
$passwordSHA256->save();
|
|
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$passwordMD5->account->identifier,
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response->assertStatus(401);
|
|
|
|
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
|
|
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][1]);
|
|
}
|
|
|
|
public function testReplayNonce()
|
|
{
|
|
$password = factory(Password::class)->create();
|
|
$response0 = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response1 = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response0),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response1->assertStatus(200);
|
|
|
|
// We increment the nc
|
|
$response2 = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response1, 'md5', '00000002'),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response2->assertStatus(200);
|
|
|
|
// We don't increment it
|
|
$response3 = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response2, 'md5', '00000002'),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response3->assertSee('Nonce replayed');
|
|
$response3->assertStatus(401);
|
|
}
|
|
|
|
public function testClearedNonce()
|
|
{
|
|
$password = factory(Password::class)->create();
|
|
$response1 = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response2 = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response1, 'md5', '00000001'),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response2->assertStatus(200);
|
|
|
|
// We remove the account related nonce
|
|
$password->account->nonces()->first()->delete();
|
|
|
|
$response3 = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response2, 'md5', '00000002'),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response3->assertSee('Nonce invalid');
|
|
$response3->assertStatus(401);
|
|
$this->assertStringContainsString('algorithm=MD5', $response3->headers->all()['www-authenticate'][0]);
|
|
}
|
|
|
|
public function testAuthenticationMD5()
|
|
{
|
|
$password = factory(Password::class)->create();
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
|
|
|
|
$response->assertStatus(200);
|
|
}
|
|
|
|
public function testAuthenticationSHA265()
|
|
{
|
|
$password = factory(Password::class)->states('sha256')->create();
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response, 'sha256'),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][0]);
|
|
|
|
$response->assertStatus(200);
|
|
}
|
|
|
|
public function testAuthenticationSHA265FromCLRTXT()
|
|
{
|
|
$password = factory(Password::class)->states('clrtxt')->create();
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
// The server is generating all the available hash algorythms
|
|
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
|
|
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][1]);
|
|
|
|
// Let's simulate a local hash for the clear password
|
|
$hash = 'sha256';
|
|
$password->password = hash(
|
|
$hash,
|
|
$password->account->username.':'.$password->account->domain.':'.$password->password
|
|
);
|
|
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response, $hash),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$this->assertStringContainsString('algorithm=MD5', $response->headers->all()['www-authenticate'][0]);
|
|
$this->assertStringContainsString('algorithm=SHA-256', $response->headers->all()['www-authenticate'][1]);
|
|
|
|
$response->assertStatus(200);
|
|
}
|
|
|
|
public function testAuthenticationBadPassword()
|
|
{
|
|
$password = factory(Password::class)->create();
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier
|
|
])->json(self::METHOD, self::ROUTE);
|
|
$password->password = 'wrong';
|
|
|
|
$response = $this->withHeaders([
|
|
'From' => 'sip:'.$password->account->identifier,
|
|
'Authorization' => $this->generateDigest($password, $response),
|
|
])->json(self::METHOD, self::ROUTE);
|
|
|
|
$response->assertStatus(401);
|
|
}
|
|
|
|
private function generateDigest(Password $password, $response, $hash = 'md5', $nc = '00000001')
|
|
{
|
|
$challenge = \substr($response->headers->get('www-authenticate'), 7);
|
|
$extractedChallenge = $this->extractAuthenticateHeader($challenge);
|
|
|
|
$cnonce = Utils::generateNonce();
|
|
|
|
$A1 = $password->password;
|
|
$A2 = hash($hash, self::METHOD . ':' . self::ROUTE);
|
|
$response = hash($hash,
|
|
sprintf(
|
|
'%s:%s:%s:%s:%s:%s',
|
|
$A1,
|
|
$extractedChallenge['nonce'],
|
|
$nc,
|
|
$cnonce,
|
|
$extractedChallenge['qop'],
|
|
$A2
|
|
)
|
|
);
|
|
|
|
$digest = \sprintf(
|
|
'username="%s",realm="%s",nonce="%s",nc=%s,cnonce="%s",uri="%s",qop=%s,response="%s",opaque="%s",algorithm=%s',
|
|
$password->account->identifier,
|
|
$extractedChallenge['realm'],
|
|
$extractedChallenge['nonce'],
|
|
$nc,
|
|
$cnonce,
|
|
self::ROUTE,
|
|
$extractedChallenge['qop'],
|
|
$response,
|
|
$extractedChallenge['opaque'],
|
|
self::ALGORITHMS[$hash],
|
|
);
|
|
|
|
return 'Digest ' . $digest;
|
|
}
|
|
|
|
private function extractAuthenticateHeader(string $string): array
|
|
{
|
|
preg_match_all(
|
|
'@(realm|nonce|qop|opaque|algorithm)=[\'"]?([^\'",]+)@',
|
|
$string,
|
|
$array
|
|
);
|
|
|
|
return array_combine($array[1], $array[2]);
|
|
}
|
|
}
|