test(auth): add invalid credentials auth spec tests

dvjn · dvjn · commit 1c0455306fb4 · 2026-02-07T21:45:59.000Z
- Added TestInvalidCredentialsAgainstAuthSpec to verify:
  - Wrong password for existing user returns 401
  - Non-existent user returns 401 (prevents enumeration)
  - Empty password scenarios handled
  - WWW-Authenticate header set per auth spec
  - Same response for all invalid creds (no user hints)

- Removed outdated tests:
  - TestHtpasswdAuthSupportedHashTypes (method removed)
  - TestGetClientIP (function removed)

Assisted-by: Tern
diff --git a/internal/auth/htpasswd/htpasswd_test.go b/internal/auth/htpasswd/htpasswd_test.go
@@ -103,39 +103,6 @@ func TestHtpasswdAuthMultipleUsers(t *testing.T) {
 	}
 }
 
-func TestHtpasswdAuthSupportedHashTypes(t *testing.T) {
-	logger := zerolog.New(zerolog.NewConsoleWriter())
-
-	cfg := &config.HtpasswdConfig{
-		Contents: "testuser:" + testBcryptHash,
-	}
-
-	auth, err := NewHtpasswdAuth(cfg, &logger)
-	if err != nil {
-		t.Fatalf("Failed to create htpasswd auth: %v", err)
-	}
-
-	types := auth.SupportedHashTypes()
-	if len(types) == 0 {
-		t.Error("Expected at least one supported hash type")
-	}
-
-	// The library DefaultSystems includes: bcrypt, md5, sha, sha256, sha512, crypt, plain
-	expected := []string{"bcrypt", "md5", "sha", "sha256", "sha512", "crypt", "plain"}
-	for _, exp := range expected {
-		found := false
-		for _, typ := range types {
-			if typ == exp {
-				found = true
-				break
-			}
-		}
-		if !found {
-			t.Errorf("Expected hash type %s to be in supported types", exp)
-		}
-	}
-}
-
 func TestBasicAuthMiddleware(t *testing.T) {
 	logger := zerolog.New(zerolog.NewConsoleWriter())
 	cfg := &config.HtpasswdConfig{
@@ -224,7 +191,7 @@ func TestShouldSkipAuth(t *testing.T) {
 	}
 }
 
-func TestGetClientIP(t *testing.T) {
+func TestInvalidCredentialsAgainstAuthSpec(t *testing.T) {
 	logger := zerolog.New(zerolog.NewConsoleWriter())
 	cfg := &config.HtpasswdConfig{
 		Contents: "testuser:" + testBcryptHash,
@@ -235,28 +202,86 @@ func TestGetClientIP(t *testing.T) {
 		t.Fatalf("Failed to create auth: %v", err)
 	}
 
-	// Test X-Forwarded-For
-	req := httptest.NewRequest("GET", "/v2/", nil)
-	req.RemoteAddr = "192.0.2.1:12345"
-	req.Header.Set("X-Forwarded-For", "10.0.0.1")
-	ip := auth.getClientIP(req)
-	if ip != "10.0.0.1" {
-		t.Errorf("Expected IP %s, got %s", "10.0.0.1", ip)
-	}
+	middleware := auth.DistributionMiddleware()
+	handler := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
 
-	// Test X-Real-IP
-	req.Header.Del("X-Forwarded-For")
-	req.Header.Set("X-Real-IP", "10.0.0.2")
-	ip = auth.getClientIP(req)
-	if ip != "10.0.0.2" {
-		t.Errorf("Expected IP %s, got %s", "10.0.0.2", ip)
-	}
+	testCases := []struct {
+		name           string
+		username       string
+		password       string
+		expectedStatus int
+	}{
+		{
+			name:           "wrong password for existing user",
+			username:       "testuser",
+			password:       "wrongpassword",
+			expectedStatus: http.StatusUnauthorized,
+		},
+		{
+			name:           "non-existent user with password",
+			username:       "nonexistent",
+			password:       "password",
+			expectedStatus: http.StatusUnauthorized,
+		},
+		{
+			name:           "non-existent user empty password",
+			username:       "nonexistent",
+			password:       "",
+			expectedStatus: http.StatusUnauthorized,
+		},
+		{
+			name:           "existing user empty password",
+			username:       "testuser",
+			password:       "",
+			expectedStatus: http.StatusUnauthorized,
+		},
+		{
+			name:           "non-existent user with very long password",
+			username:       "hacker",
+			password:       strings.Repeat("a", 1000),
+			expectedStatus: http.StatusUnauthorized,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "/v2/some/repo/manifests/latest", nil)
+			req.SetBasicAuth(tc.username, tc.password)
+			w := httptest.NewRecorder()
+
+			handler.ServeHTTP(w, req)
+
+			// Verify 401 status
+			if w.Code != tc.expectedStatus {
+				t.Errorf("Expected status %d, got %d", tc.expectedStatus, w.Code)
+			}
+
+			// Verify WWW-Authenticate header is set (per auth spec)
+			authHeader := w.Header().Get("WWW-Authenticate")
+			if authHeader == "" {
+				t.Error("Expected WWW-Authenticate header to be set")
+			}
+			if !strings.Contains(authHeader, "Sorcerer OCI Registry") {
+				t.Errorf("Expected WWW-Authenticate to contain realm, got: %s", authHeader)
+			}
+
+			// Verify that response body doesn't reveal user existence
+			// (should be the same for wrong password as non-existent user)
+			body1 := w.Body.String()
 
-	// Test RemoteAddr fallback
-	req.Header.Del("X-Real-IP")
-	ip = auth.getClientIP(req)
-	if ip != "192.0.2.1" {
-		t.Errorf("Expected IP %s, got %s", "192.0.2.1", ip)
+			// Test with a different invalid credential
+			req2 := httptest.NewRequest("GET", "/v2/some/repo/manifests/latest", nil)
+			req2.SetBasicAuth("otheruser", "otherpass")
+			w2 := httptest.NewRecorder()
+			handler.ServeHTTP(w2, req2)
+
+			body2 := w2.Body.String()
+			if body1 != body2 {
+				t.Error("Response should not reveal whether user exists by differing")
+			}
+		})
 	}
 }
 
