Http2: fix 401 authentication required w/o challenge

The code did not handle the path where we didn't have a challenge.
We cannot recover from that so we just have to fail the request.

Amends fe1b668861e8a3ef99e126821fcd3eeaa6044b54

Pick-to: 6.7 6.6 6.6.2 6.5 6.2
Fixes: QTBUG-121515
Change-Id: Ie39a92e7439785a09cad28e8f81599a51de5e27f
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>

3 files changed, 26 insertions, 6 deletions

diff --git a/tests/auto/network/access/http2/http2srv.cpp b/tests/auto/network/access/http2/http2srv.cpp
index f98fed0322..dd2c3d613c 100644
--- a/tests/auto/network/access/http2/http2srv.cpp
+++ b/tests/auto/network/access/http2/http2srv.cpp
@@ -105,6 +105,12 @@ void Http2Server::setAuthenticationHeader(const QByteArray &authentication)
     authenticationHeader = authentication;
 }
 
+void Http2Server::setAuthenticationRequired(bool enable)
+{
+    Q_ASSERT(!enable || authenticationHeader.isEmpty());
+    authenticationRequired = enable;
+}
+
 void Http2Server::setRedirect(const QByteArray &url, int count)
 {
     redirectUrl = url;
@@ -860,6 +866,8 @@ void Http2Server::sendResponse(quint32 streamID, bool emptyBody)
     } else if (!authenticationHeader.isEmpty() && !hasAuth) {
         header.push_back({ ":status", "401" });
         header.push_back(HPack::HeaderField("www-authenticate", authenticationHeader));
+    } else if (authenticationRequired) {
+        header.push_back({ ":status", "401" });
     } else {
         header.push_back({":status", "200"});
     }
diff --git a/tests/auto/network/access/http2/http2srv.h b/tests/auto/network/access/http2/http2srv.h
index cc5353c855..11a75c5ef9 100644
--- a/tests/auto/network/access/http2/http2srv.h
+++ b/tests/auto/network/access/http2/http2srv.h
@@ -65,6 +65,8 @@ public:
     void setContentEncoding(const QByteArray &contentEncoding);
     // No authentication data is generated for the method, the full header value must be set
     void setAuthenticationHeader(const QByteArray &authentication);
+    // Authentication always required, no challenge provided
+    void setAuthenticationRequired(bool enable);
     // Set the redirect URL and count. The server will return a redirect response with the url
     // 'count' amount of times
     void setRedirect(const QByteArray &redirectUrl, int count);
@@ -202,6 +204,7 @@ private:
 
     QByteArray contentEncoding;
     QByteArray authenticationHeader;
+    bool authenticationRequired = false;
 
     QByteArray redirectUrl;
     int redirectCount = 0;
diff --git a/tests/auto/network/access/http2/tst_http2.cpp b/tests/auto/network/access/http2/tst_http2.cpp
index 85bcfcb8c4..1b52905f73 100644
--- a/tests/auto/network/access/http2/tst_http2.cpp
+++ b/tests/auto/network/access/http2/tst_http2.cpp
@@ -1064,13 +1064,18 @@ void tst_Http2::authenticationRequired_data()
 {
     QTest::addColumn<bool>("success");
     QTest::addColumn<bool>("responseHEADOnly");
+    QTest::addColumn<bool>("withChallenge");
 
-    QTest::addRow("failed-auth") << false << true;
-    QTest::addRow("successful-auth") << true << true;
+    QTest::addRow("failed-auth") << false << true << true;
+    QTest::addRow("successful-auth") << true << true << true;
     // Include a DATA frame in the response from the remote server. An example would be receiving a
     // JSON response on a request along with the 401 error.
-    QTest::addRow("failed-auth-with-response") << false << false;
-    QTest::addRow("successful-auth-with-response") << true << false;
+    QTest::addRow("failed-auth-with-response") << false << false << true;
+    QTest::addRow("successful-auth-with-response") << true << false << true;
+
+    // Don't provide a challenge header. This is valid if you are actually just
+    // denied access for whatever reason.
+    QTest::addRow("no-challenge") << false << false << false;
 }
 
 void tst_Http2::authenticationRequired()
@@ -1081,11 +1086,15 @@ void tst_Http2::authenticationRequired()
     POSTResponseHEADOnly = responseHEADOnly;
 
     QFETCH(const bool, success);
+    QFETCH(const bool, withChallenge);
 
     ServerPtr targetServer(newServer(defaultServerSettings, defaultConnectionType()));
     QByteArray responseBody = "Hello"_ba;
     targetServer->setResponseBody(responseBody);
-    targetServer->setAuthenticationHeader("Basic realm=\"Shadow\"");
+    if (withChallenge)
+        targetServer->setAuthenticationHeader("Basic realm=\"Shadow\"");
+    else
+        targetServer->setAuthenticationRequired(true);
 
     QMetaObject::invokeMethod(targetServer.data(), "startServer", Qt::QueuedConnection);
     runEventLoop();
@@ -1142,7 +1151,7 @@ void tst_Http2::authenticationRequired()
         QCOMPARE(reply->error(), QNetworkReply::AuthenticationRequiredError);
     // else: no error (is checked in tst_Http2::replyFinished)
 
-    QVERIFY(authenticationRequested);
+    QVERIFY(authenticationRequested || !withChallenge);
 
     const auto isAuthenticated = [](const QByteArray &bv) {
         return bv == "Basic YWRtaW46YWRtaW4="; // admin:admin