18 files changed, 288 insertions, 0 deletions
diff --git a/src/tests/auth/all.mk b/src/tests/auth/all.mk
new file mode 100644
index 0000000..284033f
--- /dev/null
+++ b/src/tests/auth/all.mk
@@ -0,0 +1,119 @@
+#
+#  Unit tests for authentication
+#
+
+#
+#  The test files are files without extensions.
+#  The list is unordered.  The order is added in the next step by looking
+#  at precursors.
+#
+AUTH_FILES := $(filter-out %.conf %.md %.attrs %.mk %~ %.rej,$(subst $(DIR)/,,$(wildcard $(DIR)/*)))
+
+#
+#  Create the output directory
+#
+.PHONY: $(BUILD_DIR)/tests/auth
+$(BUILD_DIR)/tests/auth:
+	@mkdir -p $@
+
+#
+#  Find which input files are needed by the tests
+#  strip out the ones which exist
+#  move the filenames to the build directory.
+#
+AUTH_EXISTS := $(addprefix $(DIR)/,$(addsuffix .attrs,$(AUTH_FILES)))
+AUTH_NEEDS	 := $(filter-out $(wildcard $(AUTH_EXISTS)),$(AUTH_EXISTS))
+AUTH	 := $(subst $(DIR),$(BUILD_DIR)/tests/auth,$(AUTH_NEEDS))
+
+AUTH_HAS	 := $(filter $(wildcard $(AUTH_EXISTS)),$(AUTH_EXISTS))
+AUTH_COPY	 := $(subst $(DIR),$(BUILD_DIR)/tests/auth,$(AUTH_NEEDS))
+
+#
+#  For each file, look for precursor test.
+#  Ensure that each test depends on its precursors.
+#
+-include $(BUILD_DIR)/tests/auth/depends.mk
+
+$(BUILD_DIR)/tests/auth/depends.mk: $(addprefix $(DIR)/,$(AUTH_FILES)) | $(BUILD_DIR)/tests/auth
+	@rm -f $@
+	@for x in $^; do \
+		y=`grep 'PRE: ' $$x | sed 's/.*://;s/  / /g;s, , $(BUILD_DIR)/tests/auth/,g'`; \
+		if [ "$$y" != "" ]; then \
+			z=`echo $$x | sed 's,src/,$(BUILD_DIR)/',`; \
+			echo "$$z: $$y" >> $@; \
+			echo "" >> $@; \
+		fi \
+	done
+#
+#  These ones get copied over from the default input
+#
+$(AUTH): $(DIR)/default-input.attrs | $(BUILD_DIR)/tests/auth
+	@cp $< $@
+
+#
+#  These ones get copied over from their original files
+#
+$(BUILD_DIR)/tests/auth/%.attrs: $(DIR)/%.attrs | $(BUILD_DIR)/tests/auth
+	@cp $< $@
+
+#
+#  Don't auto-remove the files copied by the rule just above.
+#  It's unnecessary, and it clutters the output with crap.
+#
+.PRECIOUS: $(BUILD_DIR)/tests/auth/%.attrs raddb/mods-enabled/wimax
+
+AUTH_MODULES	:= $(shell grep -- mods-enabled src/tests/auth/radiusd.conf  | sed 's,.*/,,')
+AUTH_RADDB	:= $(addprefix raddb/mods-enabled/,$(AUTH_MODULES))
+AUTH_LIBS	:= $(addsuffix .la,$(addprefix rlm_,$(AUTH_MODULES)))
+
+#
+#  Files in the output dir depend on the unit tests
+#
+#	src/tests/auth/FOO		unlang for the test
+#	src/tests/auth/FOO.attrs	input RADIUS and output filter
+#	build/tests/auth/FOO	updated if the test succeeds
+#	build/tests/auth/FOO.log	debug output for the test
+#
+#  Auto-depend on modules via $(shell grep INCLUDE $(DIR)/radiusd.conf | grep mods-enabled | sed 's/.*}/raddb/'))
+#
+#  If the test fails, then look for ERROR in the input.  No error
+#  means it's unexpected, so we die.
+#
+#  Otherwise, check the log file for a parse error which matches the
+#  ERROR line in the input.
+#
+$(BUILD_DIR)/tests/auth/%: $(DIR)/% $(BUILD_DIR)/tests/auth/%.attrs $(TESTBINDIR)/unittest | $(BUILD_DIR)/tests/auth $(AUTH_RADDB) $(AUTH_LIBS) build.raddb
+	@echo UNIT-TEST $(notdir $@)
+	@if ! TESTDIR=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/auth/ -i $@.attrs -f $@.attrs -xxx > $@.log 2>&1; then \
+		if ! grep ERROR $< 2>&1 > /dev/null; then \
+			cat $@.log; \
+			echo "# $@.log"; \
+			echo "TESTDIR=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/auth/ -i $@.attrs -f $@.attrs -xxx > $@.log 2>&1"; \
+			exit 1; \
+		fi; \
+		FOUND=$$(grep ^$< $@.log | head -1 | sed 's/:.*//;s/.*\[//;s/\].*//'); \
+		EXPECTED=$$(grep -n ERROR $< | sed 's/:.*//'); \
+		if [ "$$EXPECTED" != "$$FOUND" ]; then \
+			cat $@.log; \
+			echo "# $@.log"; \
+			echo "TESTDIR=$(notdir $@) $(TESTBIN)/unittest -D share -d src/tests/auth/ -i $@.attrs -f $@.attrs -xxx > $@.log 2>&1"; \
+			exit 1; \
+		fi \
+	fi
+	@touch $@
+
+#
+#  Get all of the unit test output files
+#
+TESTS.AUTH_FILES := $(addprefix $(BUILD_DIR)/tests/auth/,$(AUTH_FILES))
+
+#
+#  Depend on the output files, and create the directory first.
+#
+tests.auth: $(TESTS.AUTH_FILES)
+
+$(TESTS.AUTH_FILES): $(TESTS.KEYWORDS_FILES)
+
+.PHONY: clean.tests.auth
+clean.tests.auth:
+	@rm -rf $(BUILD_DIR)/tests/auth/
diff --git a/src/tests/auth/chap b/src/tests/auth/chap
new file mode 100644
index 0000000..648546a
--- /dev/null
+++ b/src/tests/auth/chap
@@ -0,0 +1,3 @@
+#
+#  Password is already set in radiusd.conf
+#
diff --git a/src/tests/auth/chap.attrs b/src/tests/auth/chap.attrs
new file mode 100644
index 0000000..04df463
--- /dev/null
+++ b/src/tests/auth/chap.attrs
@@ -0,0 +1,4 @@
+User-Name = "bob",
+CHAP-Password := "hello"
+
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/auth/chap_header b/src/tests/auth/chap_header
new file mode 100644
index 0000000..13c3c9b
--- /dev/null
+++ b/src/tests/auth/chap_header
@@ -0,0 +1,7 @@
+#
+#  over-ride password set in radiusd.conf
+#
+update control {
+	Cleartext-Password -= 'hello'
+	Password-With-Header := 'oracle01'
+}
diff --git a/src/tests/auth/chap_header.attrs b/src/tests/auth/chap_header.attrs
new file mode 100644
index 0000000..9f815c7
--- /dev/null
+++ b/src/tests/auth/chap_header.attrs
@@ -0,0 +1,4 @@
+User-Name = "bob"
+CHAP-Password = 'oracle01'
+
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/auth/digest b/src/tests/auth/digest
new file mode 100644
index 0000000..4858977
--- /dev/null
+++ b/src/tests/auth/digest
@@ -0,0 +1,3 @@
+update control {
+	Cleartext-Password := "zanzibar"
+}
diff --git a/src/tests/auth/digest.attrs b/src/tests/auth/digest.attrs
new file mode 100644
index 0000000..2d32aa0
--- /dev/null
+++ b/src/tests/auth/digest.attrs
@@ -0,0 +1,25 @@
+#
+#  http://ftp6.us.freebsd.org/pub/rfc/internet-drafts/draft-smith-sipping-auth-examples-01.txt
+#
+#  3.5.2
+#
+#
+#  In the "users" file: bob	Cleartext-Password := "zanzibar"
+#
+#	TESTS 1
+#
+User-Name = "bob",
+Digest-Response = "bdbeebb2da6adb6bca02599c2239e192"
+Digest-Realm = "biloxi.com",
+Digest-Nonce = "dcd98b7102dd2f0e8b11d0f600bfb0c093",
+Digest-Method = "INVITE",
+Digest-URI = "sip:bob@biloxi.com",
+Digest-Algorithm = "MD5",
+Digest-User-Name = "bob",
+Digest-QOP = "auth-int",
+Digest-Nonce-Count = "00000001",
+Digest-CNonce = "0a4f113b",
+Digest-Body-Digest = "c1ed018b8ec4a3b170c0921f5b564e48",
+Message-Authenticator = ""
+
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/auth/md5_password b/src/tests/auth/md5_password
new file mode 100644
index 0000000..4376056
--- /dev/null
+++ b/src/tests/auth/md5_password
@@ -0,0 +1,7 @@
+#
+#  over-ride password set in radiusd.conf
+#
+update control {
+	Cleartext-Password -= ANY
+	Password-With-Header := '{md5}5d41402abc4b2a76b9719d911017c592'
+}
diff --git a/src/tests/auth/md5_password.attrs b/src/tests/auth/md5_password.attrs
new file mode 100644
index 0000000..65b967b
--- /dev/null
+++ b/src/tests/auth/md5_password.attrs
@@ -0,0 +1,4 @@
+User-Name = "bob"
+User-Password = "hello"
+
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/auth/password_with_header b/src/tests/auth/password_with_header
new file mode 100644
index 0000000..08993ab
--- /dev/null
+++ b/src/tests/auth/password_with_header
@@ -0,0 +1,7 @@
+#
+#  over-ride password set in radiusd.conf
+#
+update control {
+	Cleartext-Password -= 'hello'
+	Password-With-Header := '{clear}hello'
+}
diff --git a/src/tests/auth/password_with_header.attrs b/src/tests/auth/password_with_header.attrs
new file mode 100644
index 0000000..65b967b
--- /dev/null
+++ b/src/tests/auth/password_with_header.attrs
@@ -0,0 +1,4 @@
+User-Name = "bob"
+User-Password = "hello"
+
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/auth/password_without_header b/src/tests/auth/password_without_header
new file mode 100644
index 0000000..6fab6b3
--- /dev/null
+++ b/src/tests/auth/password_without_header
@@ -0,0 +1,7 @@
+#
+#  over-ride password set in radiusd.conf
+#
+update control {
+	Cleartext-Password -= 'hello'
+	Password-With-Header := 'hello'
+}
diff --git a/src/tests/auth/password_without_header.attrs b/src/tests/auth/password_without_header.attrs
new file mode 100644
index 0000000..65b967b
--- /dev/null
+++ b/src/tests/auth/password_without_header.attrs
@@ -0,0 +1,4 @@
+User-Name = "bob"
+User-Password = "hello"
+
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/auth/radiusd.conf b/src/tests/auth/radiusd.conf
new file mode 100644
index 0000000..2d822e7
--- /dev/null
+++ b/src/tests/auth/radiusd.conf
@@ -0,0 +1,50 @@
+#
+#  Minimal radiusd.conf for testing keywords
+#
+
+raddb		= raddb
+testdir		= src/tests/auth
+
+modconfdir = ${raddb}/mods-config
+
+#  Only for testing!
+#  Setting this on a production system is a BAD IDEA.
+security {
+	allow_vulnerable_openssl = yes
+}
+
+modules {
+	$INCLUDE ${raddb}/mods-enabled/always
+
+	$INCLUDE ${raddb}/mods-enabled/pap
+
+	$INCLUDE ${raddb}/mods-enabled/chap
+
+	$INCLUDE ${raddb}/mods-enabled/expr
+
+	$INCLUDE ${raddb}/mods-enabled/digest
+}
+
+server default {
+	authorize {
+		update control {
+			Cleartext-Password := 'hello'
+		}
+
+		#
+		# Include the test file specified by the
+		# KEYWORD environment variable.
+		#
+		$INCLUDE ${testdir}/$ENV{TESTDIR}
+
+		digest
+		chap
+		pap
+	}
+
+	authenticate {
+		digest
+		pap
+		chap
+	}
+}
diff --git a/src/tests/auth/user_password b/src/tests/auth/user_password
new file mode 100644
index 0000000..648546a
--- /dev/null
+++ b/src/tests/auth/user_password
@@ -0,0 +1,3 @@
+#
+#  Password is already set in radiusd.conf
+#
diff --git a/src/tests/auth/user_password.attrs b/src/tests/auth/user_password.attrs
new file mode 100644
index 0000000..65b967b
--- /dev/null
+++ b/src/tests/auth/user_password.attrs
@@ -0,0 +1,4 @@
+User-Name = "bob"
+User-Password = "hello"
+
+Response-Packet-Type == Access-Accept
diff --git a/src/tests/auth/wimax b/src/tests/auth/wimax
new file mode 100644
index 0000000..648546a
--- /dev/null
+++ b/src/tests/auth/wimax
@@ -0,0 +1,3 @@
+#
+#  Password is already set in radiusd.conf
+#
diff --git a/src/tests/auth/wimax.attrs b/src/tests/auth/wimax.attrs
new file mode 100644
index 0000000..38ec09a
--- /dev/null
+++ b/src/tests/auth/wimax.attrs
@@ -0,0 +1,30 @@
+#
+#  Tests for WiMAX attributes
+#
+#	TESTS 1
+#
+User-Name = "bob"
+User-Password = "hello"
+WiMAX-GMT-Timezone-offset = -1
+WiMAX-AAA-Session-Id = 0x01020304
+WiMAX-hHA-IP-MIP4 = 192.0.2.1
+#
+#  Manually encoded capability
+#
+WiMAX-Capability = 0x01ff45454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545454545040301
+#
+#  Automatically encoded capability
+#
+WiMAX-Accounting-Capabilities = 2
+WiMAX-Release = "1.0"
+WiMAX-Packet-Data-Flow-Id = 1
+#
+#  Long string
+#
+WiMAX-Hotline-Indicator = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxaaaaaaaaaabbbbbbbbbbcccccccccc123"
+WiMAX-Service-Data-Flow-Id = 2
+WiMAX-hHA-IP-MIP4 = 192.0.2.2
+
+
+# and the response
+Response-Packet-Type == Access-Accept