There are no automated tests for NTLM authentication
Categories
(Core :: Networking, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox95 | --- | fixed |
People
(Reporter: abartlet, Assigned: valentin)
References
Details
(Whiteboard: [necko-backlog][ntlm])
Attachments
(3 files, 2 obsolete files)
We need to have an automated test for NTLM authentication, to ensure that unrelated or deliberate changes do not break this important subsystem, which is not typically used by pre-release testers. Such a tool could use Samba's ntlm_auth binary to provide NTLM authentication services on the server, using the --password mode to use a fixed password rather than a real AD domain as the backend.
Reporter | ||
Comment 1•9 years ago
|
||
This is a follow-on from my work developing the NTLMv2 code in bug 423758, which could only be manually tested.
Reporter | ||
Updated•9 years ago
|
Comment hidden (abuse-reviewed) |
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Updated•8 years ago
|
Comment 3•8 years ago
|
||
Add some basic NTLM authentication unit tests Note: The proxy authentication currently fails as the proxy connection is reused on a failed authentication attempt. This can cause issues on squid proxies.
Comment 4•8 years ago
|
||
Honza is there a way to detect whether the password UI would have been displayed during a test run. For the the case when a web server logon is rejected it would be useful to check that the proxy credentials are not prompted for,
Comment 5•8 years ago
|
||
Comment on attachment 8815964 [details] [diff] [review] 1160000.patch f? me
Comment 6•8 years ago
|
||
Added a unit test to detect bug 486508
Comment 7•8 years ago
|
||
The current tests use an nsHttpChannel What is also needed are tests that are higher up the stack to capture UI issues i.e. unnecessary password prompts, page load failures. To do this need to identify the appropriate API to use for the higher level tests, and find a way to flag when a password or retry dialog was displayed in the tests. Ideally a connection would be discarded once there is an error, this avoids issues with less compliant server implementations. The unit tests in the patch don't enforce this at present, however the code can be uncommented when desired.
Comment 9•8 years ago
|
||
Comment 7 is a summary of what needs to be done, for when I hopefully get back into this. However if you do have any ideas for the higher level tests that would be useful.
Comment 10•7 years ago
|
||
Gary, to answer to comment 7, you may look at [1] and surrounding. To implement a handler for a request that will do the ntlm exchange, you need to create an .sjs file, see [1.1]. To store a state on the server between calls of the handler use setState and getState, see [1.2] for example. For simpler (unit js) test you can also have your own implementation of nsIAuthPromptProvider (providing GetAuthPrompt method returning nsIAuthPrompt2 implementation that is then asked for a password via asyncPromptAuth method.) nsIAuthPromptProvider object is then attached to a channel through nsIChannel.notificationCallbacks. For an example see [2]. to sum how that works: - channel, when auth challenge is received and a prompt is needed, asks it's "notification callbacks" for nsIAuthPromptProvider interface (via nsIInterfaceRequestor interface) - it gets an opaque object, a provider - that has a method, getAuthPrompt, which returns an object implementing nsIAuthPrompt2 interface - that object provides few methods to raise a prompt, mainly asyncPromptAuth - if called, the channel expects to get (delayed) calls to onAuthAvailable or onAuthCanceled, see [3] interface, which is implemented by nsHttpChannelAuthProvider C class one bad thing is that our testing httpd.js server doesn't support keep alive connections :/ we use it for both js unit tests (you provide in the patch) and mochitests (the test I refer at [1]). but that is something that needs to be fixed elsewhere, not in this bug. How is it going with verification that the tests catch actual problems? Thanks so far! [1] https://dxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/test/test_prompt_async.html [1.1] https://dxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/test/authenticate.sjs [1.2] https://dxr.mozilla.org/mozilla-central/rev/8103c612b79c2587ea4ca1b0a9f9f82db4b185b8/dom/xhr/tests/file_html_in_xhr.sjs#5,11 [2] https://dxr.mozilla.org/mozilla-central/search?q=asyncPromptAuth+path%3Anetwerk%2Ftest%2Funit&redirect=false [3] https://dxr.mozilla.org/mozilla-central/rev/8103c612b79c2587ea4ca1b0a9f9f82db4b185b8/netwerk/base/nsIAuthPromptCallback.idl#29
Comment 11•7 years ago
|
||
The last patch appears to detect 486508, and with the data on the nsiAuthPromptProvider it should be possible to to do more.
Comment 13•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Comment 14•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Assignee | ||
Comment 15•3 years ago
|
||
I'll try to see if we can land this patch as-is (or with minor fixups)
Assignee | ||
Comment 16•3 years ago
|
||
Assignee | ||
Comment 17•3 years ago
|
||
I just got the previously added tests to run properly.
While it would be nice to make them clean and modern I think it's not
worth the additional effort - just increasing the code coverage should
be enough.
Depends on D129007
Assignee | ||
Comment 18•3 years ago
|
||
Comment on attachment 8816936 [details] [diff] [review]
Update unit tests
Obsoleted by attachment 9246829 [details]
Assignee | ||
Comment 19•3 years ago
|
||
Depends on D129008
Comment 20•3 years ago
|
||
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/b168979602ed Add xpcshell-tests for NTLM authentication r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/4568eec2f406 Fix up NTLM tests r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/b44e97e2ca07 Fix netwerk/test/unit/xpcshell.ini lint warnings r=necko-reviewers,dragana
Comment 21•3 years ago
|
||
Backed out 3 changesets (Bug 1160000) for causing xpcshell failures on test_ntlm_web_auth.js
Backout link: https://hg.mozilla.org/integration/autoland/rev/c3f6b7b6ee72ead8dd052d4e30c617c50dcd90ed
Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&revision=b44e97e2ca075247b15f63c1598b890d6d0388fb&selectedTaskRun=QDvvqQfpQGCm5deDxJ3ifg.0
Failure log: https://treeherder.mozilla.org/logviewer?job_id=355573630&repo=autoland
Comment 22•3 years ago
|
||
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2da1648e98dc Add xpcshell-tests for NTLM authentication r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/f3b9b2ca9807 Fix up NTLM tests r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/6a4706efa917 Fix netwerk/test/unit/xpcshell.ini lint warnings r=necko-reviewers,dragana
Assignee | ||
Updated•3 years ago
|
Comment 23•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2da1648e98dc
https://hg.mozilla.org/mozilla-central/rev/f3b9b2ca9807
https://hg.mozilla.org/mozilla-central/rev/6a4706efa917
Description
•