Admin password (#958)

Fix #922
2025-11-20 11:45:53 +00:00 · 2023-10-31 15:39:20 +00:00
parent 1ce7bcbc28
commit 5e9e5f6f65
6 changed files with 154 additions and 18 deletions
--- a/unittests/web/AdminVerificationTests.cpp
+++ b/unittests/web/AdminVerificationTests.cpp
@@ -44,6 +44,8 @@ TEST_F(IPAdminVerificationStrategyTest, IsAdminOnlyForIP_127_0_0_1)
 class PasswordAdminVerificationStrategyTest : public NoLoggerFixture {
 protected:
    const std::string password_ = "secret";
+    const std::string passwordHash_ = "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b";
+
    web::detail::PasswordAdminVerificationStrategy strat_{password_};

    static http::request<http::string_body>
@@ -57,8 +59,8 @@ protected:

 TEST_F(PasswordAdminVerificationStrategyTest, IsAdminReturnsTrueOnlyForValidPasswordInAuthHeader)
 {
-    EXPECT_TRUE(strat_.isAdmin(makeRequest(password_), ""));
-    EXPECT_TRUE(strat_.isAdmin(makeRequest(password_), "123"));
+    EXPECT_TRUE(strat_.isAdmin(makeRequest(passwordHash_), ""));
+    EXPECT_TRUE(strat_.isAdmin(makeRequest(passwordHash_), "123"));

    // Wrong password
    EXPECT_FALSE(strat_.isAdmin(makeRequest("SECRET"), ""));
@@ -70,7 +72,7 @@ TEST_F(PasswordAdminVerificationStrategyTest, IsAdminReturnsTrueOnlyForValidPass
    EXPECT_FALSE(strat_.isAdmin(makeRequest("a"), "127.0.0.1"));

    // Wrong header
-    EXPECT_FALSE(strat_.isAdmin(makeRequest(password_, http::field::authentication_info), ""));
+    EXPECT_FALSE(strat_.isAdmin(makeRequest(passwordHash_, http::field::authentication_info), ""));
 }

 struct MakeAdminVerificationStrategyTestParams {
--- a/unittests/web/ServerTests.cpp
+++ b/unittests/web/ServerTests.cpp
@@ -21,6 +21,7 @@
 #include <util/TestHttpSyncClient.h>
 #include <web/Server.h>

+#include <ripple/protocol/digest.h>
 #include <boost/json/parse.hpp>
 #include <fmt/core.h>
 #include <gtest/gtest.h>
@@ -398,6 +399,49 @@ static auto constexpr JSONServerConfigWithAdminPassword = R"JSON(
    }
 )JSON";

+static auto constexpr JSONServerConfigWithAdminPasswordWithFalseLocalAdmin = R"JSON(
+    {
+        "server":{
+            "ip": "0.0.0.0",
+            "port": 8888,
+            "admin_password": "secret"
+        }
+    }
+)JSON";
+
+static auto constexpr JSONServerConfigWithLocalAdmin = R"JSON(
+    {
+        "server":{
+            "ip": "0.0.0.0",
+            "port": 8888,
+            "local_admin": true
+        }
+    }
+)JSON";
+
+static auto constexpr JSONServerConfigWithBothAdminPasswordAndLocalAdminFalse = R"JSON(
+    {
+        "server":{
+            "ip": "0.0.0.0",
+            "port": 8888,
+            "admin_password": "secret",
+            "local_admin": false
+        }
+    }
+)JSON";
+
+static auto constexpr JSONServerConfigWithNoSpecifiedAdmin = R"JSON(
+    {
+        "server":{
+            "ip": "0.0.0.0",
+            "port": 8888
+        }
+    }
+)JSON";
+
+// get this value from online sha256 generator
+static auto constexpr SecertSha256 = "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b";
+
 class AdminCheckExecutor {
 public:
    void
@@ -414,6 +458,7 @@ public:
 };

 struct WebServerAdminTestParams {
+    std::string config;
    std::vector<WebHeader> headers;
    std::string expectedResponse;
 };
@@ -423,7 +468,7 @@ class WebServerAdminTest : public WebServerTest, public ::testing::WithParamInte
 TEST_P(WebServerAdminTest, WsAdminCheck)
 {
    auto e = std::make_shared<AdminCheckExecutor>();
-    Config const serverConfig{boost::json::parse(JSONServerConfigWithAdminPassword)};
+    Config const serverConfig{boost::json::parse(GetParam().config)};
    auto server = makeServerSync(serverConfig, ctx, std::nullopt, dosGuardOverload, e);
    WebSocketSyncClient wsClient;
    wsClient.connect("localhost", "8888", GetParam().headers);
@@ -436,7 +481,7 @@ TEST_P(WebServerAdminTest, WsAdminCheck)
 TEST_P(WebServerAdminTest, HttpAdminCheck)
 {
    auto e = std::make_shared<AdminCheckExecutor>();
-    Config const serverConfig{boost::json::parse(JSONServerConfigWithAdminPassword)};
+    Config const serverConfig{boost::json::parse(GetParam().config)};
    auto server = makeServerSync(serverConfig, ctx, std::nullopt, dosGuardOverload, e);
    std::string const request = "Why hello";
    auto const res = HttpSyncClient::syncPost("localhost", "8888", request, GetParam().headers);
@@ -447,14 +492,74 @@ INSTANTIATE_TEST_CASE_P(
    WebServerAdminTestsSuit,
    WebServerAdminTest,
    ::testing::Values(
-        WebServerAdminTestParams{.headers = {}, .expectedResponse = "user"},
-        WebServerAdminTestParams{.headers = {WebHeader(http::field::authorization, "")}, .expectedResponse = "user"},
-        WebServerAdminTestParams{.headers = {WebHeader(http::field::authorization, "s")}, .expectedResponse = "user"},
        WebServerAdminTestParams{
-            .headers = {WebHeader(http::field::authorization, "secret")},
+            .config = JSONServerConfigWithAdminPassword,
+            .headers = {},
+            .expectedResponse = "user"},
+        WebServerAdminTestParams{
+            .config = JSONServerConfigWithAdminPassword,
+            .headers = {WebHeader(http::field::authorization, "")},
+            .expectedResponse = "user"},
+        WebServerAdminTestParams{
+            .config = JSONServerConfigWithAdminPassword,
+            .headers = {WebHeader(http::field::authorization, "s")},
+            .expectedResponse = "user"},
+        WebServerAdminTestParams{
+            .config = JSONServerConfigWithAdminPassword,
+            .headers = {WebHeader(http::field::authorization, SecertSha256)},
            .expectedResponse = "admin"},
        WebServerAdminTestParams{
-            .headers = {WebHeader(http::field::authentication_info, "secret")},
-            .expectedResponse = "user"}
+            .config = JSONServerConfigWithAdminPasswordWithFalseLocalAdmin,
+            .headers = {WebHeader(http::field::authorization, SecertSha256)},
+            .expectedResponse = "admin"},
+        WebServerAdminTestParams{
+            .config = JSONServerConfigWithBothAdminPasswordAndLocalAdminFalse,
+            .headers = {WebHeader(http::field::authorization, SecertSha256)},
+            .expectedResponse = "admin"},
+        WebServerAdminTestParams{
+            .config = JSONServerConfigWithAdminPassword,
+            .headers = {WebHeader(http::field::authentication_info, SecertSha256)},
+            .expectedResponse = "user"},
+        WebServerAdminTestParams{.config = JSONServerConfigWithLocalAdmin, .headers = {}, .expectedResponse = "admin"},
+        WebServerAdminTestParams{
+            .config = JSONServerConfigWithNoSpecifiedAdmin,
+            .headers = {},
+            .expectedResponse = "admin"}
+
    )
 );
+
+TEST_F(WebServerTest, AdminErrorCfgTestBothAdminPasswordAndLocalAdminSet)
+{
+    static auto constexpr JSONServerConfigWithBothAdminPasswordAndLocalAdmin = R"JSON(
+        {
+            "server":{
+                "ip": "0.0.0.0",
+                "port": 8888,
+                "admin_password": "secret",
+                "local_admin": true
+            }
+        }
+    )JSON";
+
+    auto e = std::make_shared<AdminCheckExecutor>();
+    Config const serverConfig{boost::json::parse(JSONServerConfigWithBothAdminPasswordAndLocalAdmin)};
+    EXPECT_THROW(web::make_HttpServer(serverConfig, ctx, std::nullopt, dosGuardOverload, e), std::logic_error);
+}
+
+TEST_F(WebServerTest, AdminErrorCfgTestBothAdminPasswordAndLocalAdminFalse)
+{
+    static auto constexpr JSONServerConfigWithNoAdminPasswordAndLocalAdminFalse = R"JSON(
+        {
+            "server":{
+                "ip": "0.0.0.0",
+                "port": 8888,
+                "local_admin": false
+            }
+        }
+    )JSON";
+
+    auto e = std::make_shared<AdminCheckExecutor>();
+    Config const serverConfig{boost::json::parse(JSONServerConfigWithNoAdminPasswordAndLocalAdminFalse)};
+    EXPECT_THROW(web::make_HttpServer(serverConfig, ctx, std::nullopt, dosGuardOverload, e), std::logic_error);
+}