From 9c4c732e4e3f148e05f278c9b07ffcaedacad20b Mon Sep 17 00:00:00 2001
From: Felipe Zimmerle <fcosta@trustwave.com>
Date: Mon, 7 Jul 2014 15:13:52 -0700
Subject: [PATCH] Adds regression test to the hash functionality

As reported on: #742 and #752 it seems that the SecHash functionality is
not working as expected.
---
 tests/regression/misc/40-sec-hash-engine.t    | 118 ++++++++++++++++++
 .../server_root/htdocs/hash_test.html         |   6 +
 2 files changed, 124 insertions(+)
 create mode 100644 tests/regression/misc/40-sec-hash-engine.t
 create mode 100644 tests/regression/server_root/htdocs/hash_test.html

diff --git a/tests/regression/misc/40-sec-hash-engine.t b/tests/regression/misc/40-sec-hash-engine.t
new file mode 100644
index 00000000..e0770e1f
--- /dev/null
+++ b/tests/regression/misc/40-sec-hash-engine.t
@@ -0,0 +1,118 @@
+### libinjection.
+
+{
+	type => "misc",
+	comment => "SecHash engine - missing paramenter",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+		SecContentInjection On
+		SecStreamOutBodyInspection On
+		SecDisableBackendCompression On
+
+		SecHashEngine On
+		SecHashParam "hmac"
+		SecHashKey "some_key" KeyOnly
+		SecHashMethodRx "HashHref" "\.(txt)"
+		SecRule REQUEST_URI "\@validateHash \.(txt)" "phase:2,id:1000,t:none,ctl:hashEnforcement=On,deny"
+	),
+	match_log => {
+		error => [ qr/Request URI matched .* at REQUEST_URI. No Hash parameter/, 1],
+		debug => [ qr/Request URI without hash parameter/, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "misc",
+	comment => "SecHash engine - wrong paramenter",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+		SecContentInjection On
+		SecStreamOutBodyInspection On
+		SecDisableBackendCompression On
+
+		SecHashEngine On
+		SecHashParam "hmac"
+		SecHashKey "some_key" KeyOnly
+		SecHashMethodRx "HashHref" "\.(txt)"
+		SecRule REQUEST_URI "\@validateHash \.(txt)" "phase:2,id:1000,t:none,ctl:hashEnforcement=On,deny"
+	),
+	match_log => {
+		error => [ qr/Request URI matched .* at REQUEST_URI. Hash parameter hash value = .* Requested URI hash value = .*/, 1],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt?hmac=test",
+	),
+},
+{
+	type => "misc",
+	comment => "SecHash engine - correct paramenter",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+		SecContentInjection On
+		SecStreamOutBodyInspection On
+		SecDisableBackendCompression On
+
+		SecHashEngine On
+		SecHashParam "hmac"
+		SecHashKey "some_key" KeyOnly
+		SecHashMethodRx "HashHref" "\.(txt)"
+		SecRule REQUEST_URI "\@validateHash \.(txt)" "phase:2,id:1000,t:none,ctl:hashEnforcement=On,deny"
+	),
+	match_log => {
+		-error => [ qr/Request URI matched .* at REQUEST_URI. Hash parameter hash value = .* Requested URI hash value = .*/, 1],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt?hmac=a17d5c0a78b54a15f19ccb5d47651470c7b8f31f",
+	),
+},
+{
+	type => "misc",
+	comment => "SecHash engine - link verification",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLogLevel 9
+		SecDebugLog $ENV{DEBUG_LOG}
+
+		SecContentInjection On
+		SecStreamOutBodyInspection On
+		SecDisableBackendCompression On
+
+		SecHashEngine On
+		SecHashParam "hmac"
+		SecHashKey "rand" "KeyOnly"
+		SecHashMethodRx "HashHref" "testparam"
+	),
+	match_log => {
+		-error => [ qr/Request URI matched .* at REQUEST_URI. Hash parameter hash value = .* Requested URI hash value = .*/, 1],
+	},
+	match_response => {
+		content => qr/testparam=123456&amp;hmac=a95a6c5324869521e82e8b2465dd36a27b0b6d27/,
+	},
+
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/hash_test.html",
+	),
+},
+
+
+
diff --git a/tests/regression/server_root/htdocs/hash_test.html b/tests/regression/server_root/htdocs/hash_test.html
new file mode 100644
index 00000000..e75b43dd
--- /dev/null
+++ b/tests/regression/server_root/htdocs/hash_test.html
@@ -0,0 +1,6 @@
+<html>
+<body>
+<a href="test.txt?testparam=123456">Test</a>
+<a href="text2.txt?testparam=123456">Test 2</a>
+</body>
+</html>