Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / cc4d54ed02fc90b64c8567f4abb7ca5ce9fc35ee^! / . / system-proxy / server_proxy_test.cc
commitcc4d54ed02fc90b64c8567f4abb7ca5ce9fc35ee[log] [tgz]
authorAndreea Costinas <acostinas@google.com>Mon Oct 19 15:46:25 2020 +0200
committerCommit Bot <commit-bot@chromium.org>Wed Nov 04 11:45:05 2020 +0000
tree9003b4c8e3956bd7673c43a3bc440f441bdea4b2
parented9ddfcd376a8c134215d8ba689f66c469f3d7eb [diff] [blame]
system-proxy: Secure system credentials

Currently System-proxy sends the policy set credentials with every
connect request to a remote proxy. Since less secure authentication
schemes send the credentials in clear to the proxy, an attacker can
easily obtain the policy set credentials.

To protect against a downgrade attack, this CL restricts the auth
schemes for which the policy  set credentials can be applied.

BUG=chromium:1132247
TEST=HttpServerProxyConnectJobTest.PolicyAuth*

Change-Id: I17e2d3e38b1560f0fadf347657bd3f4b6e1bae09
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2483831
Tested-by: Andreea-Elena Costinas <acostinas@google.com>
Commit-Queue: Andreea-Elena Costinas <acostinas@google.com>
Reviewed-by: Pavol Marko <pmarko@chromium.org>

diff --git a/system-proxy/server_proxy_test.cc b/system-proxy/server_proxy_test.cc
index 3106b59..f84607b 100644
--- a/system-proxy/server_proxy_test.cc
+++ b/system-proxy/server_proxy_test.cc

@@ -8,6 +8,8 @@
 #include <sys/socket.h>
 #include <sys/types.h>
 
+#include <curl/curl.h>
+
 #include <gmock/gmock.h>
 #include <gtest/gtest.h>
 #include <utility>
@@ -62,6 +64,7 @@
                       OnConnectionSetupFinishedCallback setup_finished_callback)
       : ProxyConnectJob(std::move(socket),
                         credentials,
+                        CURLAUTH_ANY,
                         std::move(resolve_proxy_callback),
                         std::move(auth_required_callback),
                         std::move(setup_finished_callback)) {}
@@ -117,6 +120,9 @@
   worker::Credentials credentials;
   credentials.set_username(kUsername);
   credentials.set_password(kPassword);
+  credentials.add_policy_credentials_auth_schemes("basic");
+  credentials.add_policy_credentials_auth_schemes("digest");
+
   worker::WorkerConfigs configs;
   *configs.mutable_credentials() = credentials;
   RedirectStdPipes();
@@ -128,6 +134,8 @@
   std::string expected_credentials =
       base::JoinString({kUsernameEncoded, kPasswordEncoded}, ":");
   EXPECT_EQ(server_proxy_->system_credentials_, expected_credentials);
+  EXPECT_EQ(server_proxy_->system_credentials_auth_schemes_,
+            CURLAUTH_BASIC | CURLAUTH_DIGEST | CURLAUTH_NEGOTIATE);
 }
 
 TEST_F(ServerProxyTest, FetchListeningAddress) {