Add tests for authentication failure

http-connect.c

@@ -94,20 +94,17 @@ static void httpc_read_cb(struct bufferevent *buffev, void *_arg)
 					http_auth *auth = (void*)(client->instance + 1);
 
 					if (auth->last_auth_query != NULL && auth->last_auth_count == 1) {
-						redsocks_log_error(client, LOG_NOTICE, "proxy auth failed");
+						redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy auth failed: %s", line);
 						redsocks_drop_client(client);
-
 						dropped = 1;
 					} else if (client->instance->config.login == NULL || client->instance->config.password == NULL) {
-						redsocks_log_error(client, LOG_NOTICE, "proxy auth required, but no login information provided");
+						redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy auth required, but no login/password configured: %s", line);
 						redsocks_drop_client(client);
-
 						dropped = 1;
 					} else {
 						char *auth_request = get_auth_request_header(buffev->input);
-
 						if (!auth_request) {
-							redsocks_log_error(client, LOG_NOTICE, "403 found, but no proxy auth challenge");
+							redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy auth required, but no <%s> header found: %s", auth_request_header, line);
 							redsocks_drop_client(client);
 							dropped = 1;
 						} else {
@@ -145,7 +142,7 @@ static void httpc_read_cb(struct bufferevent *buffev, void *_arg)
 				} else if (200 <= code && code <= 299) {
 					client->state = httpc_reply_came;
 				} else {
-					redsocks_log_error(client, LOG_NOTICE, "%s", line);
+					redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy error: %s", line);
 					redsocks_drop_client(client);
 					dropped = 1;
 				}

http-relay.c

@@ -171,21 +171,19 @@ static void httpr_relay_read_cb(struct bufferevent *buffev, void *_arg)
 					http_auth *auth = (void*)(client->instance + 1);
 
 					if (auth->last_auth_query != NULL && auth->last_auth_count == 1) {
-						redsocks_log_error(client, LOG_NOTICE, "proxy auth failed");
+						redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy auth failed: %s", line);
 						redsocks_drop_client(client);
-
 						dropped = 1;
 					} else if (client->instance->config.login == NULL || client->instance->config.password == NULL) {
-						redsocks_log_error(client, LOG_NOTICE, "proxy auth required, but no login information provided");
+						redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy auth required, but no login/password configured: %s", line);
 						redsocks_drop_client(client);
-
 						dropped = 1;
 					} else {
 						free(line);
 						char *auth_request = get_auth_request_header(buffev->input);
 
 						if (!auth_request) {
-							redsocks_log_error(client, LOG_NOTICE, "403 found, but no proxy auth challenge");
+							redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy auth required, but no <%s> header found: %s", auth_request_header, line);
 							redsocks_drop_client(client);
 							dropped = 1;
 						} else {
@@ -223,7 +221,7 @@ static void httpr_relay_read_cb(struct bufferevent *buffev, void *_arg)
 				} else if (100 <= code && code <= 999) {
 					client->state = httpr_reply_came;
 				} else {
-					redsocks_log_error(client, LOG_NOTICE, "%s", line);
+					redsocks_log_error(client, LOG_NOTICE, "HTTP Proxy error: %s", line);
 					redsocks_drop_client(client);
 					dropped = 1;
 				}

socks5.c

@@ -231,16 +231,18 @@ static void socks5_read_auth_reply(struct bufferevent *buffev, redsocks_client *
 		return;
 
 	if (reply.ver != socks5_password_ver) {
-		redsocks_log_error(client, LOG_NOTICE, "Socks5 server reported unexpected auth reply version...");
+		redsocks_log_error(client, LOG_NOTICE, "Socks5 server reported unexpected auth reply version %d", reply.ver);
 		redsocks_drop_client(client);
 	}
 	else if (reply.status == socks5_password_passed)
 		redsocks_write_helper(
 			buffev, client,
 			socks5_mkconnect, socks5_request_sent, sizeof(socks5_reply)
 			);
-	else
+	else {
+		redsocks_log_error(client, LOG_NOTICE, "Socks5 auth failure, status %i", reply.status);
 		redsocks_drop_client(client);
+    }
 }
 
 static void socks5_read_reply(struct bufferevent *buffev, redsocks_client *client, socks5_client *socks5)

tests/cleanup

@@ -1,5 +1,5 @@
 #!/bin/bash -x
 docker ps
-vms=$(echo gw web inetd regw dante-{0..1} squid-{8..9} tank{10..14})
+vms=$(echo gw web inetd regw dante-{0..1} squid-{8..9} tank{10..20})
 docker stop --time 1 $vms
 docker rm $vms

tests/conftest.py

@@ -174,6 +174,12 @@ def pmap(l):
     'connect_digest': TANKS_BASE + 2,
     'socks5_none': TANKS_BASE + 3,
     'socks5_auth': TANKS_BASE + 4,
+    'connect_nopass': TANKS_BASE + 5,
+    'connect_baduser': TANKS_BASE + 6,
+    'connect_badpass': TANKS_BASE + 7,
+    'socks5_nopass': TANKS_BASE + 8,
+    'socks5_baduser': TANKS_BASE + 9,
+    'socks5_badpass': TANKS_BASE + 10,
 }
 
 class _Network(object):

tests/regw/redsocks.conf

@@ -51,3 +51,59 @@ redsocks {
     login = sockusr;
     password = sockpwd;
 }
+
+redsocks {
+    local_ip = 0.0.0.0;
+    local_port = 12345;
+    ip = 10.0.1.9;
+    port = 8081;
+    type = http-connect;
+}
+
+redsocks {
+    local_ip = 0.0.0.0;
+    local_port = 12346;
+    ip = 10.0.1.9;
+    port = 8081;
+    type = http-connect;
+    login = luser;
+    password = digest_password;
+}
+
+redsocks {
+    local_ip = 0.0.0.0;
+    local_port = 12347;
+    ip = 10.0.1.9;
+    port = 8081;
+    type = http-connect;
+    login = digest_user;
+    password = buzzword;
+}
+
+redsocks {
+    local_ip = 0.0.0.0;
+    local_port = 12348;
+    ip = 10.0.1.181;
+    port = 1081;
+    type = socks5;
+}
+
+redsocks {
+    local_ip = 0.0.0.0;
+    local_port = 12349;
+    ip = 10.0.1.181;
+    port = 1081;
+    type = socks5;
+    login = luser;
+    password = sockpwd;
+}
+
+redsocks {
+    local_ip = 0.0.0.0;
+    local_port = 12350;
+    ip = 10.0.1.181;
+    port = 1081;
+    type = socks5;
+    login = sockusr;
+    password = buzzword;
+}

tests/test_smoke.py

@@ -1,5 +1,5 @@
 from functools import partial
-from subprocess import check_call
+from subprocess import check_call, CalledProcessError
 import time
 
 import conftest
@@ -9,12 +9,30 @@
 def test_vmdebug(net):
     check_call('sleep 365d'.split())
 
-@pytest.mark.parametrize('tank', conftest.TANKS.keys())
+GOOD_AUTH = 'connect_none connect_basic connect_digest socks5_none socks5_auth'.split()
+BAD_AUTH = 'connect_nopass connect_baduser connect_badpass socks5_nopass socks5_baduser socks5_badpass'.split()
+assert set(conftest.TANKS) == set(GOOD_AUTH + BAD_AUTH)
+
+@pytest.mark.parametrize('tank', GOOD_AUTH)
 def test_smoke(net, tank):
     vm = net.vm['tank%d' % conftest.TANKS[tank]]
     page = vm.do('curl --max-time 0.5 http://10.0.1.80/')
     assert 'Welcome to nginx!' in page
 
+@pytest.mark.parametrize('tank', BAD_AUTH)
+def test_badauth(net, tank):
+    vm = net.vm['tank%d' % conftest.TANKS[tank]]
+    with pytest.raises(CalledProcessError) as excinfo:
+        vm.do('curl --max-time 0.5 http://10.0.1.80/')
+    assert excinfo.value.returncode == 52 # Empty reply from server
+
+@pytest.mark.parametrize('tank', conftest.TANKS)
+def test_econnrefused(net, tank):
+    vm = net.vm['tank%d' % conftest.TANKS[tank]]
+    with pytest.raises(CalledProcessError) as excinfo:
+        vm.do('curl --max-time 0.5 http://10.0.1.80:81/')
+    assert excinfo.value.returncode == 52 # Empty reply from server
+
 RTT = 200 # ms
 
 @pytest.fixture(scope="function")
@@ -45,7 +63,7 @@ def http_ping(vm):
     connect, total, code, size = float(connect) * 1000, float(total) * 1000, int(code), int(size)
     return connect, total, code, size
 
-@pytest.mark.parametrize('tank', conftest.TANKS.keys())
+@pytest.mark.parametrize('tank', set(conftest.TANKS) & set(LATENCY))
 def test_latency_tank(slow_net, tank):
     vm = slow_net.vm['tank%d' % conftest.TANKS[tank]]
     heatup(vm)