Added test for CVE issue-11435

testsuite/tests/apicast/auth/test_basic_auth_app_id.py

@@ -1,65 +1,106 @@
 """
 Service requires credentials (app_id, app_key) to be passed using the Basic Auth
-
 Rewrite ./spec/functional_specs/auth/basic_auth_app_id_spec.rb
 """
 
 import pytest
-
 from threescale_api.resources import Service
+from packaging.version import Version  # noqa # pylint: disable=unused-import
 
+from testsuite import TESTED_VERSION  # noqa # pylint: disable=unused-import
+from testsuite.capabilities import Capability
+from testsuite.gateways.apicast.selfmanaged import SelfManagedApicast
+from testsuite.gateways.apicast.system import SystemApicast
+from testsuite.httpx import HttpxClient
 from testsuite.utils import basic_auth_string
 
 
 @pytest.fixture(scope="module")
 def service_settings(service_settings):
-    "Set auth mode to app_id/app_key"
+    """Set auth mode to app_id/app_key."""
     service_settings.update({"backend_version": Service.AUTH_APP_ID_KEY})
     return service_settings
 
 
 @pytest.fixture(scope="module")
 def service_proxy_settings(service_proxy_settings):
-    "Set credentials location to 'authorization' (Basic HTTP auth)"
+    """Set credentials location to 'authorization' (Basic HTTP auth)."""
     service_proxy_settings.update({"credentials_location": "authorization"})
     return service_proxy_settings
 
 
-@pytest.mark.smoke
-def test_basic_auth_app_id_key(application, api_client):
-    """Test client access with Basic HTTP Auth using app id and app key
-
-    Configure Api/Service to use App ID / App Key Authentication
-    and Basic HTTP Auth to pass the credentials.
+@pytest.fixture(scope="module")
+def http_client(application):
+    """Provide an HttpxClient instance using HTTP 1.1."""
+    client = HttpxClient(False, application)
+    client.auth = None  # No default authentication
+    yield client
+    client.close()
 
-    Then request made with appropriate Basic auth made has to pass as expected"""
 
+@pytest.fixture(scope="module")
+def valid_auth_headers(application):
+    """Generate valid Basic Auth headers."""
     creds = application.authobj().credentials
-    expected_authorization = basic_auth_string(creds["app_id"], creds["app_key"])
-
-    response = api_client().get("/get")
+    authorization = basic_auth_string(creds["app_id"], creds["app_key"])
+    return {"Authorization": authorization}
 
-    assert response.status_code == 200
-    assert response.request.headers["Authorization"] == expected_authorization
 
+@pytest.fixture(scope="module")
+def malformed_request(http_client):
+    """Create a function to make requests with malformed auth headers."""
 
-def test_basic_auth_app_id_403_with_query(application, api_client):
-    "Forbid access if credentials passed wrong way"
-    client = api_client()
+    def prepare_request():
+        headers = {"Authorization": "Basic test123?"}  # Malformed authorization header
+        return http_client.get("/get", headers=headers)
 
-    client.auth = application.authobj(location="query")
+    return prepare_request
 
-    response = client.get("/get")
 
-    assert response.status_code == 403
+@pytest.fixture(
+    scope="module",
+    params=[
+        SystemApicast,
+        pytest.param(SelfManagedApicast, marks=pytest.mark.required_capabilities(Capability.CUSTOM_ENVIRONMENT)),
+    ],
+)
+def gateway_kind(request):
+    """Gateway class to use for tests"""
+    return request.param
 
 
-def test_basic_auth_app_id_403_without_auth(api_client):
-    "Forbid access if no credentials"
+@pytest.mark.smoke
+def test_basic_auth_success(http_client, valid_auth_headers):
+    """Test valid Basic HTTP Auth using app_id and app_key."""
+    response = http_client.get("/get", headers=valid_auth_headers)
+    assert response.status_code == 200, "Valid request failed unexpectedly."
+    assert response.request.headers["Authorization"] == valid_auth_headers["Authorization"]
+
+
+@pytest.mark.parametrize(
+    "auth_method, expected_status",
+    [
+        ("query", 403),  # Credentials passed as query parameters
+        (None, 403),  # No credentials
+    ],
+)
+def test_basic_auth_failure(api_client, application, auth_method, expected_status):
+    """Test forbidden access when credentials are passed incorrectly or missing."""
     client = api_client()
+    client.auth = application.authobj(location=auth_method) if auth_method else None
+    response = client.get("/get")
+    assert response.status_code == expected_status
 
-    client.auth = None
 
-    response = client.get("/get")
+@pytest.mark.skipif("TESTED_VERSION < Version('2.14')")
+@pytest.mark.issue("https://issues.redhat.com/browse/THREESCALE-11435")
+# pylint: disable=unused-argument
+def test_basic_auth_malformed_secret(http_client, valid_auth_headers, malformed_request, gateway_kind):
+    """Test malformed Basic Auth headers."""
+    # Valid request
+    response = http_client.get("/get", headers=valid_auth_headers)
+    assert response.status_code == 200, "Valid request failed unexpectedly."
 
-    assert response.status_code == 403
+    # Malformed request
+    malformed_status_code = malformed_request().status_code
+    assert malformed_status_code == 403, "Malformed request did not return 403 as expected."