[tor-commits] [stem/master] Testing and fix for invalid auth cookies

atagar at torproject.org atagar at torproject.org
Fri Dec 9 18:03:00 UTC 2011 

commit bd51ff4d69decfc866366a5381bd1ba0dc7ee866
Author: Damian Johnson <atagar at torproject.org>
Date:   Fri Dec 9 09:47:17 2011 -0800

    Testing and fix for invalid auth cookies
    
    Adding a test and fix for when the authentication cookie is the right size but
    has the wrong contents.
---
 stem/connection.py                      |    5 ++-
 test/integ/connection/authentication.py |   47 +++++++++++++++++++++++++++---
 test/runner.py                          |   14 +++++++++
 3 files changed, 59 insertions(+), 7 deletions(-)

diff --git a/stem/connection.py b/stem/connection.py
index 850a1f3..938ab2f 100644
--- a/stem/connection.py
+++ b/stem/connection.py
@@ -278,10 +278,11 @@ def authenticate_cookie(control_socket, cookie_path, suppress_ctl_errors = True)
       control_socket.close()
       
       # all we have to go on is the error message from tor...
-      # ... Wrong length on authentication cookie.
+      # ... Authentication cookie did not match expected value.
       # ... *or* authentication cookie.
       
-      if "authentication cookie." in str(auth_response):
+      if "*or* authentication cookie." in str(auth_response) or \
+         "Authentication cookie did not match expected value." in str(auth_response):
         raise IncorrectCookieValue(str(auth_response), auth_response)
       else:
         raise CookieAuthRejected(str(auth_response), auth_response)
diff --git a/test/integ/connection/authentication.py b/test/integ/connection/authentication.py
index d7d0817..ee36946 100644
--- a/test/integ/connection/authentication.py
+++ b/test/integ/connection/authentication.py
@@ -17,7 +17,9 @@ COOKIE_AUTH_FAIL = "Authentication failed: Wrong length on authentication cookie
 PASSWORD_AUTH_FAIL = "Authentication failed: Password did not match HashedControlPassword value from configuration. Maybe you tried a plain text password? If so, the standard requires that you put it in double quotes."
 MULTIPLE_AUTH_FAIL = "Authentication failed: Password did not match HashedControlPassword *or* authentication cookie."
 
-# this only arises in password-only auth when we authenticate by password
+# this only arises in cookie-only or password-only auth when we authenticate
+# with the wrong value
+INCORRECT_COOKIE_FAIL = "Authentication failed: Authentication cookie did not match expected value."
 INCORRECT_PASSWORD_FAIL = "Authentication failed: Password did not match HashedControlPassword value from configuration"
 
 class TestAuthenticate(unittest.TestCase):
@@ -88,6 +90,34 @@ class TestAuthenticate(unittest.TestCase):
       self.assertRaises(stem.connection.CookieAuthRejected, self._check_auth, auth_type, auth_value)
       self._assert_auth_rejected_msg(auth_type, auth_value)
   
+  def test_authenticate_cookie_invalid(self):
+    """
+    Tests the authenticate_cookie function with a properly sized but incorrect
+    value.
+    """
+    
+    auth_type = stem.connection.AuthMethod.COOKIE
+    auth_value = os.path.join(test.runner.get_runner().get_test_dir(), "fake_cookie")
+    
+    # we need to create a 32 byte cookie file to load from
+    fake_cookie = open(auth_value, "w")
+    fake_cookie.write("0" * 32)
+    fake_cookie.close()
+    
+    if self._can_authenticate(test.runner.TorConnection.NONE):
+      # authentication will work anyway
+      self._check_auth(auth_type, auth_value)
+    else:
+      if self._can_authenticate(auth_type):
+        exc_type = stem.connection.IncorrectCookieValue
+      else:
+        exc_type = stem.connection.CookieAuthRejected
+      
+      self.assertRaises(exc_type, self._check_auth, auth_type, auth_value)
+      self._assert_auth_rejected_msg(auth_type, auth_value)
+    
+    os.remove(auth_value)
+  
   def test_authenticate_cookie_missing(self):
     """
     Tests the authenticate_cookie function with a path that really, really
@@ -198,11 +228,18 @@ class TestAuthenticate(unittest.TestCase):
     if cookie_auth and password_auth:
       failure_msg = MULTIPLE_AUTH_FAIL
     elif cookie_auth:
-      failure_msg = COOKIE_AUTH_FAIL
-    elif auth_type == stem.connection.AuthMethod.PASSWORD:
-      failure_msg = INCORRECT_PASSWORD_FAIL
+      if auth_type == stem.connection.AuthMethod.COOKIE:
+        failure_msg = INCORRECT_COOKIE_FAIL
+      else:
+        failure_msg = COOKIE_AUTH_FAIL
+    elif password_auth:
+      if auth_type == stem.connection.AuthMethod.PASSWORD:
+        failure_msg = INCORRECT_PASSWORD_FAIL
+      else:
+        failure_msg = PASSWORD_AUTH_FAIL
     else:
-      failure_msg = PASSWORD_AUTH_FAIL
+      # shouldn't happen, if so then the test has a bug
+      raise ValueError("No methods of authentication. If this is an open socket then auth shoulnd't fail.")
     
     try:
       auth_function()
diff --git a/test/runner.py b/test/runner.py
index ed0f798..6284464 100644
--- a/test/runner.py
+++ b/test/runner.py
@@ -10,6 +10,7 @@ Runner - Runtime context for our integration tests.
   |- start - prepares and starts a tor instance for our tests to run against
   |- stop - stops our tor instance and cleans up any temporary files
   |- is_running - checks if our tor test instance is running
+  |- get_test_dir - testing directory path
   |- get_torrc_path - path to our tor instance's torrc
   |- get_torrc_contents - contents of our tor instance's torrc
   |- get_connection_type - method by which controllers can connect to tor
@@ -235,6 +236,19 @@ class Runner:
     
     return is_running
   
+  def get_test_dir(self):
+    """
+    Provides the absolute path for our testing directory.
+    
+    Returns:
+      str with our test direcectory path
+    
+    Raises:
+      RunnerStopped if we aren't running
+    """
+    
+    return self._get("_test_dir")
+  
   def get_torrc_path(self):
     """
     Provides the absolute path for where our testing torrc resides.

More information about the tor-commits mailing list