auth-int qop is ignored for Digest authentication

net/http/http_auth_handler_digest_unittest.cc

Index: net/http/http_auth_handler_digest_unittest.cc
===================================================================
--- net/http/http_auth_handler_digest_unittest.cc	(revision 63735)
+++ net/http/http_auth_handler_digest_unittest.cc	(working copy)
@@ -28,7 +28,7 @@
     int parsed_algorithm;
     int parsed_qop;
   } tests[] = {
-    {
+    { // Check that a minimal challenge works correctly.
       "Digest nonce=\"xyz\", realm=\"Thunder Bluff\"",
       true,
       "Thunder Bluff",
@@ -40,6 +40,80 @@
       HttpAuthHandlerDigest::QOP_UNSPECIFIED
     },
 
+    { // Realm does not need to be quoted, even though RFC2617 requires it.
+      "Digest nonce=\"xyz\", realm=ThunderBluff",

[eroman, 2010/11/11 23:02:58]

... I must have been playing WoW when I initially wrote these unittests. Good to
see the legacy continue :)

+      true,
+      "ThunderBluff",
+      "xyz",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // We allow the realm to be omitted, and will default it to empty string.
+      // See http://crbug.com/20984.
+      "Digest nonce=\"xyz\"",
+      true,
+      "",
+      "xyz",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // Try with realm set to empty string.
+      "Digest realm=\"\", nonce=\"xyz\"",
+      true,
+      "",
+      "xyz",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // At a minimum, a nonce must be provided.
+      "Digest realm=\"Thunder Bluff\"",
+      false,
+      "",
+      "",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // The nonce does not need to be quoted, even though RFC2617
+      // requires it.
+      "Digest nonce=xyz, realm=\"Thunder Bluff\"",
+      true,
+      "Thunder Bluff",
+      "xyz",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // Unknown authentication parameters are ignored.
+      "Digest nonce=\"xyz\", realm=\"Thunder Bluff\", foo=\"bar\"",
+      true,
+      "Thunder Bluff",
+      "xyz",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
     { // Check that when algorithm has an unsupported value, parsing fails.
       "Digest nonce=\"xyz\", algorithm=\"awezum\", realm=\"Thunder\"",
       false,
@@ -53,7 +127,8 @@
       HttpAuthHandlerDigest::QOP_UNSPECIFIED
     },
 
-    { // Check that algorithm's value is case insensitive.
+    { // Check that algorithm's value is case insensitive, and that MD5 is
+      // a supported algorithm.
       "Digest nonce=\"xyz\", algorithm=\"mD5\", realm=\"Oblivion\"",
       true,
       "Oblivion",
@@ -65,9 +140,8 @@
       HttpAuthHandlerDigest::QOP_UNSPECIFIED
     },
 
-    { // Check that md5-sess is recognized, as is single QOP
-      "Digest nonce=\"xyz\", algorithm=\"md5-sess\", "
-      "realm=\"Oblivion\", qop=\"auth\"",
+    { // Check that md5-sess is a supported algorithm.
+      "Digest nonce=\"xyz\", algorithm=\"md5-sess\", realm=\"Oblivion\"",
       true,
       "Oblivion",
       "xyz",
@@ -75,33 +149,121 @@
       "",
       false,
       HttpAuthHandlerDigest::ALGORITHM_MD5_SESS,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED,
+    },
+
+    { // Check that qop's value is case insensitive, and that auth is known.
+      "Digest nonce=\"xyz\", realm=\"Oblivion\", qop=\"aUth\"",
+      true,
+      "Oblivion",
+      "xyz",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
       HttpAuthHandlerDigest::QOP_AUTH
     },
 
-    { // We allow the realm to be omitted, and will default it to empty string.
-      // See http://crbug.com/20984.
-      "Digest nonce=\"xyz\"",
+    { // Check that a qop value of auth-int results in no handler,
+      // since Chrome's digest handler currently does not handle
+      // auth-int correctly.
+      "Digest nonce=\"xyz\", realm=\"Oblivion\", qop=\"auth-int\"",
+      false,
+      "",
+      "",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // Unknown qop values are ignored.
+      "Digest nonce=\"xyz\", realm=\"Oblivion\", qop=\"auth,foo\"",
       true,
+      "Oblivion",
+      "xyz",
       "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_AUTH
+    },
+
+    { // If auth-int is included with auth, then use auth.
+      "Digest nonce=\"xyz\", realm=\"Oblivion\", qop=\"auth,auth-int\"",
+      true,
+      "Oblivion",
       "xyz",
       "",
       "",
       false,
       HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_AUTH
+    },
+
+    { // Opaque parameter parsing should work correctly.
+      "Digest nonce=\"xyz\", realm=\"Thunder Bluff\", opaque=\"foobar\"",
+      true,
+      "Thunder Bluff",
+      "xyz",
+      "",
+      "foobar",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
       HttpAuthHandlerDigest::QOP_UNSPECIFIED
     },
 
-    { // Try with realm set to empty string.
-      "Digest realm=\"\", nonce=\"xyz\"",
+    { // Opaque parameters do not need to be quoted, even though RFC2617
+      // seems to require it.
+      "Digest nonce=\"xyz\", realm=\"Thunder Bluff\", opaque=foobar",
       true,
+      "Thunder Bluff",
+      "xyz",
       "",
+      "foobar",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // Domain can be parsed.
+      "Digest nonce=\"xyz\", realm=\"Thunder Bluff\", "
+      "domain=\"http://intranet.example.com/protection\"",
+      true,
+      "Thunder Bluff",
       "xyz",
+      "http://intranet.example.com/protection",
       "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
+
+    { // Multiple domains can be parsed.
+      "Digest nonce=\"xyz\", realm=\"Thunder Bluff\", "
+      "domain=\"http://intranet.example.com/protection http://www.google.com\"",
+      true,
+      "Thunder Bluff",
+      "xyz",
+      "http://intranet.example.com/protection http://www.google.com",
       "",
       false,
       HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
       HttpAuthHandlerDigest::QOP_UNSPECIFIED
-    }
+    },
+
+    { // If a non-Digest scheme is somehow passed in, it should be rejected.
+      "Basic realm=\"foo\"",
+      false,
+      "",
+      "",
+      "",
+      "",
+      false,
+      HttpAuthHandlerDigest::ALGORITHM_UNSPECIFIED,
+      HttpAuthHandlerDigest::QOP_UNSPECIFIED
+    },
   };
 
   GURL origin("http://www.example.com");
@@ -118,9 +280,10 @@
       EXPECT_EQ(OK, rv);
     } else {
       EXPECT_NE(OK, rv);
+      EXPECT_TRUE(handler.get() == NULL);
       continue;
     }
-    ASSERT_TRUE(handler != NULL);
+    ASSERT_TRUE(handler.get() != NULL);
     HttpAuthHandlerDigest* digest =
         static_cast<HttpAuthHandlerDigest*>(handler.get());
     EXPECT_STREQ(tests[i].parsed_realm, digest->realm_.c_str());
@@ -291,7 +454,7 @@
   }
 }
 
-TEST(HttpAuthHandlerDigest, HandleAnotherChallenge_Failed) {
+TEST(HttpAuthHandlerDigest, HandleAnotherChallenge) {
   scoped_ptr<HttpAuthHandlerDigest::Factory> factory(
       new HttpAuthHandlerDigest::Factory());
   scoped_ptr<HttpAuthHandler> handler;