HTTP/2 authentication required

With Qt 6 we made HTTP/2 default, which exposed missing handling of 401 Unauthorized (and 407 Proxy Authentication Required). In HTTP/1.* we would handle this after the response had finished, while handling the status code. For h2 this path isn't used since it is heavily reliant on the structure we have for HTTP/1.* (one request per channel). So we must handle the status code and header directly. Having that part fixed exposed another issue - when resetting/rewinding uploaded data we were not resetting the 'totallyUploadedData' counter in the reply (this, in turn, exposed another small issue). Because of that we did not actually send any data on the retry, only sending the content-length followed by no data. Finally, the small issue mentioned in the previous paragraph was how we check if we have uploaded all our data. It was only checking if the byte-device was atEnd(), which it was. But only because it had not yet prepared any data for us. Fixes: QTBUG-91284 Pick-to: 6.1 6.0 5.15 Change-Id: I798d105b02688b18a02897cc476f19f57a47f98f Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io> Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
author: Mårten Nordheim <marten.nordheim@qt.io> 2021-03-22 11:02:52 +0100
committer: Mårten Nordheim <marten.nordheim@qt.io> 2021-04-29 13:05:16 +0200
commit: 52a0eb4791727157a7b385f7e022faad28da4821 (patch)
tree: cdbf283e09c0926881765606f3abec56c026eb86 /tests/auto/network/access
parent: 675a4b0cc77a81d92cea6e044200349676f3b117 (diff)
3 files changed, 114 insertions, 0 deletions
diff --git a/tests/auto/network/access/http2/http2srv.cpp b/tests/auto/network/access/http2/http2srv.cpp
index d09779bb8f..c2670ca2a5 100644
--- a/tests/auto/network/access/http2/http2srv.cpp
+++ b/tests/auto/network/access/http2/http2srv.cpp
@@ -125,6 +125,11 @@ void Http2Server::setContentEncoding(const QByteArray &encoding)
     contentEncoding = encoding;
 }
 
+void Http2Server::setAuthenticationHeader(const QByteArray &authentication)
+{
+    authenticationHeader = authentication;
+}
+
 void Http2Server::emulateGOAWAY(int timeout)
 {
     Q_ASSERT(timeout >= 0);
@@ -143,6 +148,17 @@ bool Http2Server::isClearText() const
     return connectionType == H2Type::h2c || connectionType == H2Type::h2cDirect;
 }
 
+QByteArray Http2Server::requestAuthorizationHeader()
+{
+    const auto isAuthHeader = [](const HeaderField &field) {
+        return field.name == "authorization";
+    };
+    const auto requestHeaders = decoder.decodedHeader();
+    const auto authentication =
+            std::find_if(requestHeaders.cbegin(), requestHeaders.cend(), isAuthHeader);
+    return authentication == requestHeaders.cend() ? QByteArray() : authentication->value;
+}
+
 void Http2Server::startServer()
 {
     if (listen()) {
@@ -741,6 +757,9 @@ void Http2Server::handleDATA()
         streamWindows.erase(it);
         emit receivedData(streamID);
     }
+    emit receivedDATAFrame(streamID,
+                           QByteArray(reinterpret_cast<const char *>(inboundFrame.dataBegin()),
+                                      inboundFrame.dataSize()));
 }
 
 void Http2Server::handleWINDOW_UPDATE()
@@ -821,6 +840,9 @@ void Http2Server::sendResponse(quint32 streamID, bool emptyBody)
     if (emptyBody)
         writer.addFlag(FrameFlag::END_STREAM);
 
+    // We assume any auth is correct. Leaves the checking to the test itself
+    const bool hasAuth = !requestAuthorizationHeader().isEmpty();
+
     HttpHeader header;
     if (redirectWhileReading) {
         if (redirectSent) {
@@ -837,6 +859,10 @@ void Http2Server::sendResponse(quint32 streamID, bool emptyBody)
         header.push_back({"location", url.arg(isClearText() ? QStringLiteral("http") : QStringLiteral("https"),
                                               QString::number(targetPort)).toLatin1()});
 
+    } else if (!authenticationHeader.isEmpty() && !hasAuth) {
+        header.push_back({ ":status", "401" });
+        header.push_back(HPack::HeaderField("www-authenticate", authenticationHeader));
+        authenticationHeader.clear();
     } else {
         header.push_back({":status", "200"});
     }
diff --git a/tests/auto/network/access/http2/http2srv.h b/tests/auto/network/access/http2/http2srv.h
index baf0155988..671cacbd54 100644
--- a/tests/auto/network/access/http2/http2srv.h
+++ b/tests/auto/network/access/http2/http2srv.h
@@ -88,11 +88,15 @@ public:
     void setResponseBody(const QByteArray &body);
     // No content encoding is actually performed, call setResponseBody with already encoded data
     void setContentEncoding(const QByteArray &contentEncoding);
+    // No authentication data is generated for the method, the full header value must be set
+    void setAuthenticationHeader(const QByteArray &authentication);
     void emulateGOAWAY(int timeout);
     void redirectOpenStream(quint16 targetPort);
 
     bool isClearText() const;
 
+    QByteArray requestAuthorizationHeader();
+
     // Invokables, since we can call them from the main thread,
     // but server (can) work on its own thread.
     Q_INVOKABLE void startServer();
@@ -129,6 +133,8 @@ Q_SIGNALS:
     void decompressionFailed(quint32 streamID);
     void receivedRequest(quint32 streamID);
     void receivedData(quint32 streamID);
+    // Emitted for every DATA frame. Includes the content of the frame as \a body.
+    void receivedDATAFrame(quint32 streamID, const QByteArray &body);
     void windowUpdate(quint32 streamID);
     void sendingData();
 
@@ -215,6 +221,7 @@ private:
     QAtomicInt interrupted;
 
     QByteArray contentEncoding;
+    QByteArray authenticationHeader;
 protected slots:
     void ignoreErrorSlot();
 };
diff --git a/tests/auto/network/access/http2/tst_http2.cpp b/tests/auto/network/access/http2/tst_http2.cpp
index 834ec064d4..b38ebabe80 100644
--- a/tests/auto/network/access/http2/tst_http2.cpp
+++ b/tests/auto/network/access/http2/tst_http2.cpp
@@ -112,6 +112,9 @@ private slots:
     void contentEncoding_data();
     void contentEncoding();
 
+    void authenticationRequired_data();
+    void authenticationRequired();
+
 protected slots:
     // Slots to listen to our in-process server:
     void serverStarted(quint16 port);
@@ -881,6 +884,84 @@ void tst_Http2::contentEncoding()
     QTEST(reply->readAll(), "expected");
 }
 
+void tst_Http2::authenticationRequired_data()
+{
+    QTest::addColumn<bool>("success");
+
+    QTest::addRow("failed-auth") << false;
+    QTest::addRow("successful-auth") << true;
+}
+
+void tst_Http2::authenticationRequired()
+{
+    clearHTTP2State();
+
+    QFETCH(const bool, success);
+
+    ServerPtr targetServer(newServer(defaultServerSettings, defaultConnectionType()));
+    targetServer->setResponseBody("Hello");
+    targetServer->setAuthenticationHeader("Basic realm=\"Shadow\"");
+
+    QMetaObject::invokeMethod(targetServer.data(), "startServer", Qt::QueuedConnection);
+    runEventLoop();
+
+    QVERIFY(serverPort != 0);
+
+    nRequests = 1;
+
+    auto url = requestUrl(defaultConnectionType());
+    url.setPath("/index.html");
+    QNetworkRequest request(url);
+
+    QByteArray expectedBody = "Hello, World!";
+    request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
+    QScopedPointer<QNetworkReply> reply;
+    reply.reset(manager->post(request, expectedBody));
+
+    bool authenticationRequested = false;
+    connect(manager.get(), &QNetworkAccessManager::authenticationRequired, reply.get(),
+            [&](QNetworkReply *, QAuthenticator *auth) {
+                authenticationRequested = true;
+                if (success) {
+                    auth->setUser("admin");
+                    auth->setPassword("admin");
+                }
+            });
+
+    QByteArray receivedBody;
+    connect(targetServer.get(), &Http2Server::receivedDATAFrame, reply.get(),
+            [&receivedBody](quint32 streamID, const QByteArray &body) {
+                if (streamID == 3) // The expected body is on the retry, so streamID == 3
+                    receivedBody += body;
+            });
+
+    if (success)
+        connect(reply.get(), &QNetworkReply::finished, this, &tst_Http2::replyFinished);
+    else
+        connect(reply.get(), &QNetworkReply::errorOccurred, this, &tst_Http2::replyFinishedWithError);
+    // Since we're using self-signed certificates,
+    // ignore SSL errors:
+    reply->ignoreSslErrors();
+
+    runEventLoop();
+    STOP_ON_FAILURE
+
+    if (!success)
+        QCOMPARE(reply->error(), QNetworkReply::AuthenticationRequiredError);
+    // else: no error (is checked in tst_Http2::replyFinished)
+
+    QVERIFY(authenticationRequested);
+
+    const auto isAuthenticated = [](QByteArray bv) {
+        return bv == "Basic YWRtaW46YWRtaW4="; // admin:admin
+    };
+    // Get the "authorization" header out from the server and make sure it's as expected:
+    auto reqAuthHeader = targetServer->requestAuthorizationHeader();
+    QCOMPARE(isAuthenticated(reqAuthHeader), success);
+    if (success)
+        QCOMPARE(receivedBody, expectedBody);
+}
+
 void tst_Http2::serverStarted(quint16 port)
 {
     serverPort = port;
author	Mårten Nordheim <marten.nordheim@qt.io>	2021-03-22 11:02:52 +0100
committer	Mårten Nordheim <marten.nordheim@qt.io>	2021-04-29 13:05:16 +0200
commit	52a0eb4791727157a7b385f7e022faad28da4821 (patch)
tree	cdbf283e09c0926881765606f3abec56c026eb86 /tests/auto/network/access
parent	675a4b0cc77a81d92cea6e044200349676f3b117 (diff)