Merge pull request #43 from liggitt/ignore_whitespace

alextoombs · alextoombs · commit d72bbb5e5cb2 · 2016-04-06T12:19:57.000-07:00
Make header matching case-insensitive, tolerate multiple headers, internal whitespace
diff --git a/spnego/spnego_transport.go b/spnego/spnego_transport.go
@@ -11,14 +11,16 @@ import (
 	"github.com/apcera/gssapi"
 )
 
+const negotiateScheme = "Negotiate"
+
 // AddSPNEGONegotiate adds a Negotiate header with the value of a serialized
 // token to an http header.
 func AddSPNEGONegotiate(h http.Header, name string, token *gssapi.Buffer) {
 	if name == "" {
 		return
 	}
 
-	v := "Negotiate"
+	v := negotiateScheme
 	if token.Length() != 0 {
 		data := token.Bytes()
 		v = v + " " + base64.StdEncoding.EncodeToString(data)
@@ -28,31 +30,48 @@ func AddSPNEGONegotiate(h http.Header, name string, token *gssapi.Buffer) {
 
 // CheckSPNEGONegotiate checks for the presence of a Negotiate header. If
 // present, we return a gssapi Token created from the header value sent to us.
-func CheckSPNEGONegotiate(lib *gssapi.Lib, h http.Header, name string) (present bool, token *gssapi.Buffer) {
+func CheckSPNEGONegotiate(lib *gssapi.Lib, h http.Header, name string) (bool, *gssapi.Buffer) {
 	var err error
 	defer func() {
 		if err != nil {
 			lib.Debug(fmt.Sprintf("CheckSPNEGONegotiate: %v", err))
 		}
 	}()
 
-	v := h.Get(name)
-	if len(v) == 0 || !strings.HasPrefix(v, "Negotiate") {
-		return false, nil
-	}
+	for _, header := range h[http.CanonicalHeaderKey(name)] {
+		if len(header) < len(negotiateScheme) {
+			continue
+		}
+		if !strings.EqualFold(header[:len(negotiateScheme)], negotiateScheme) {
+			continue
+		}
 
-	present = true
-	tbytes, err := base64.StdEncoding.DecodeString(strings.TrimSpace(v[len("Negotiate"):]))
-	if err != nil {
-		return false, nil
-	}
+		// Remove the "Negotiate" prefix
+		normalizedToken := header[len(negotiateScheme):]
+		// Trim leading and trailing whitespace
+		normalizedToken = strings.TrimSpace(normalizedToken)
+		// Remove internal whitespace (some servers insert whitespace every 76 chars)
+		normalizedToken = strings.Replace(normalizedToken, " ", "", -1)
+		// Pad to a multiple of 4 chars for base64 (some servers strip trailing padding)
+		if unpaddedChars := len(normalizedToken) % 4; unpaddedChars != 0 {
+			normalizedToken += strings.Repeat("=", 4-unpaddedChars)
+		}
+
+		tbytes, err := base64.StdEncoding.DecodeString(normalizedToken)
+		if err != nil {
+			continue
+		}
+
+		if len(tbytes) == 0 {
+			return true, nil
+		}
 
-	if len(tbytes) > 0 {
-		token, err = lib.MakeBufferBytes(tbytes)
+		token, err := lib.MakeBufferBytes(tbytes)
 		if err != nil {
-			return false, nil
+			continue
 		}
+		return true, token
 	}
 
-	return present, token
+	return false, nil
 }
diff --git a/spnego/spnego_transport_test.go b/spnego/spnego_transport_test.go
@@ -0,0 +1,121 @@
+package spnego
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/apcera/gssapi"
+)
+
+func TestCheckSPNEGONegotiate(t *testing.T) {
+	lib, err := gssapi.Load(nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	name := "WWW-Authenticate"
+	canonicalName := http.CanonicalHeaderKey(name)
+
+	testcases := map[string]struct {
+		Headers         http.Header
+		Name            string
+		ExpectedPresent bool
+		ExpectedToken   string
+	}{
+		"empty": {
+			Headers:         http.Header{},
+			Name:            name,
+			ExpectedPresent: false,
+			ExpectedToken:   "",
+		},
+
+		"non-negotiate": {
+			Headers:         http.Header{canonicalName: []string{"Basic"}},
+			Name:            name,
+			ExpectedPresent: false,
+			ExpectedToken:   "",
+		},
+
+		"negotiate, no token": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate"}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "",
+		},
+		"negotiate, case-insensitive": {
+			Headers:         http.Header{canonicalName: []string{"negotiate"}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "",
+		},
+		"negotiate, fallback from basic-auth": {
+			Headers:         http.Header{canonicalName: []string{"Basic", "Negotiate"}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "",
+		},
+
+		"negotiate, with token": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate aGVsbG8="}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "hello",
+		},
+		"negotiate, with token with whitespace": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate    aGVs bG8="}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "hello",
+		},
+
+		"negotiate, with token needing no padding": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate cGFk"}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "pad",
+		},
+		"negotiate, with token with 1 end-padding =": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate cGFkXzE="}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "pad_1",
+		},
+		"negotiate, with token missing 1 end-padding =": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate cGFkXzE"}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "pad_1",
+		},
+		"negotiate, with token with 2 end-padding =": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate cGFkX19fMg=="}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "pad___2",
+		},
+		"negotiate, with token missing 2 end-padding =": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate cGFkX19fMg"}},
+			Name:            name,
+			ExpectedPresent: true,
+			ExpectedToken:   "pad___2",
+		},
+
+		"negotiate, with invalid token": {
+			Headers:         http.Header{canonicalName: []string{"Negotiate !@#$%"}},
+			Name:            name,
+			ExpectedPresent: false,
+			ExpectedToken:   "",
+		},
+	}
+
+	for k, tc := range testcases {
+		present, token := CheckSPNEGONegotiate(lib, tc.Headers, tc.Name)
+		if present != tc.ExpectedPresent {
+			t.Errorf("%s: expected present=%v, got %v", k, tc.ExpectedPresent, present)
+			continue
+		}
+		if token.String() != tc.ExpectedToken {
+			t.Errorf("%s: expected token=%q, got %q", k, tc.ExpectedToken, token)
+			continue
+		}
+	}
+}
