mechanize 2.3 → 2.4

data/CHANGELOG.rdoc

@@ -1,8 +1,31 @@
 = Mechanize CHANGELOG
 
-=== 2.3 / 2012-02-20
+=== 2.4
+
+* Security fix:
+
+  Mechanize#auth and Mechanize#basic_auth allowed disclosure of passwords to
+  malicious servers and have been removed.
+  
+  In prior versions of mechanize only one set of HTTP authentication
+  credentials were allowed for all connections.  If a mechanize instance
+  connected to more than one server then a malicious server detecting
+  mechanize could ask for HTTP Basic authentication.  This would expose the
+  username and password intended only for one server.
+
+  Mechanize#auth and Mechanize#basic_auth now warn when used.
+  
+  To fix the warning switch to Mechanize#add_auth which requires at the URI
+  the credentials are intended for, the username and the password.
+  Optionally an HTTP authentication realm or NTLM domain may be provided.
 
 * Minor enhancement
+  * Improved exception messages for 401 Unauthorized responses.  Mechanize now
+    tells you if you were missing credentials, had an incorrect password, etc.
+
+=== 2.3 / 2012-02-20
+
+* Minor enhancements
   * Add support for the Max-Age attribute in the Set-Cookie header.
   * Added Mechanize::Download#body for compatibility with Mechanize::File when
     using Mechanize#get_file with Mechanize::Image or other Download-based

data/Manifest.txt

@@ -46,6 +46,7 @@ lib/mechanize/http.rb
 lib/mechanize/http/agent.rb
 lib/mechanize/http/auth_challenge.rb
 lib/mechanize/http/auth_realm.rb
+lib/mechanize/http/auth_store.rb
 lib/mechanize/http/content_disposition_parser.rb
 lib/mechanize/http/www_authenticate_parser.rb
 lib/mechanize/image.rb
@@ -145,6 +146,7 @@ test/test_mechanize_history.rb
 test/test_mechanize_http_agent.rb
 test/test_mechanize_http_auth_challenge.rb
 test/test_mechanize_http_auth_realm.rb
+test/test_mechanize_http_auth_store.rb
 test/test_mechanize_http_content_disposition_parser.rb
 test/test_mechanize_http_www_authenticate_parser.rb
 test/test_mechanize_image.rb

data/examples/spider.rb

@@ -2,6 +2,7 @@ require 'rubygems'
 require 'mechanize'
 
 agent = Mechanize.new
+agent.max_history = nil # unlimited history
 stack = agent.get(ARGV[0]).links
 
 while l = stack.pop

data/lib/mechanize.rb

@@ -73,7 +73,7 @@ class Mechanize
   ##
   # The version of Mechanize you are using.
 
-  VERSION = '2.3'
+  VERSION = '2.4'
 
   ##
   # Base mechanize error class
@@ -209,7 +209,7 @@ class Mechanize
   ##
   # Maximum number of items allowed in the history.  The default setting is 50
   # pages.  Note that the size of the history multiplied by the maximum
-  # response body size 
+  # response body size
 
   def max_history
     @agent.history.max_size
@@ -618,17 +618,42 @@ class Mechanize
   attr_reader :proxy_user
 
   ##
-  # Sets the user and password to be used for HTTP authentication.
-  # sets the optional domain for NTLM authentication
+  # *NOTE*: These credentials will be used as a default for any challenge
+  # exposing your password to disclosure to malicious servers.  Use of this
+  # method will warn.  This method is deprecated and will be removed in
+  # mechanize 3.
+  #
+  # Sets the +user+ and +password+ as the default credentials to be used for
+  # HTTP authentication for any server.  The +domain+ is used for NTLM
+  # authentication.
+
+  def auth user, password, domain = nil
+    caller.first =~ /(.*?):(\d+).*?$/
+
+    warn <<-WARNING
+At #{$1} line #{$2}
+
+Use of #auth and #basic_auth are deprecated due to a security vulnerability.
+
+    WARNING
 
-  def auth(user, password, domain = nil)
-    @agent.user     = user
-    @agent.password = password
-    @agent.domain = domain
+    @agent.add_default_auth user, password, domain
   end
 
   alias basic_auth auth
 
+  ##
+  # Adds credentials +user+, +pass+ for +uri+.  If +realm+ is set the
+  # credentials are used only for that realm.  If +realm+ is not set the
+  # credentials become the default for any realm on that URI.
+  #
+  # +domain+ and +realm+ are exclusive as NTLM does not follow RFC 2617.  If
+  # +domain+ is given it is only used for NTLM authentication.
+
+  def add_auth uri, user, password, realm = nil, domain = nil
+    @agent.add_auth uri, user, password, realm, domain
+  end
+
   ##
   # Are If-Modified-Since conditional requests enabled?
 

data/lib/mechanize/file_response.rb

@@ -2,12 +2,15 @@
 # Fake response for dealing with file:/// requests
 
 class Mechanize::FileResponse
+
   def initialize(file_path)
     @file_path = file_path
+    @uri       = nil
   end
 
   def read_body
-    raise Mechanize::ResponseCodeError, self unless File.exist? @file_path
+    raise Mechanize::ResponseCodeError.new(self) unless
+      File.exist? @file_path
 
     if directory?
       yield dir_body
@@ -30,10 +33,10 @@ class Mechanize::FileResponse
   def each_header; end
 
   def [](key)
-    return nil unless key.downcase == 'content-type'
+    return nil if key.casecmp('Content-Type') != 0
     return 'text/html' if directory?
     return 'text/html' if ['.html', '.xhtml'].any? { |extn|
-      @file_path =~ /#{extn}$/
+      @file_path.end_with?(extn)
     }
     nil
   end
@@ -53,6 +56,10 @@ class Mechanize::FileResponse
     File.exist?(@file_path) ? 'OK' : 'Not Found'
   end
 
+  def uri
+    @uri ||= URI "file://#{@file_path}"
+  end
+
   private
 
   def dir_body
@@ -70,5 +77,6 @@ class Mechanize::FileResponse
   def directory?
     File.directory?(@file_path)
   end
+
 end
 

data/lib/mechanize/http/agent.rb

@@ -43,11 +43,9 @@ class Mechanize::HTTP::Agent
 
   # :section: HTTP Authentication
 
+  attr_reader :auth_store # :nodoc:
   attr_reader :authenticate_methods # :nodoc:
   attr_reader :digest_challenges # :nodoc:
-  attr_accessor :user
-  attr_accessor :password
-  attr_accessor :domain
 
   # :section: Redirection
 
@@ -139,6 +137,7 @@ class Mechanize::HTTP::Agent
     @webrobots                = nil
 
     # HTTP Authentication
+    @auth_store           = Mechanize::HTTP::AuthStore.new
     @authenticate_parser  = Mechanize::HTTP::WWWAuthenticateParser.new
     @authenticate_methods = Hash.new do |methods, uri|
       methods[uri] = Hash.new do |realms, auth_scheme|
@@ -147,9 +146,6 @@ class Mechanize::HTTP::Agent
     end
     @digest_auth          = Net::HTTP::DigestAuth.new
     @digest_challenges    = {}
-    @password             = nil # HTTP auth password
-    @user                 = nil # HTTP auth user
-    @domain               = nil # NTLM HTTP domain
 
     # SSL
     @pass = nil
@@ -170,6 +166,33 @@ class Mechanize::HTTP::Agent
     @http.keep_alive   = 300
   end
 
+  ##
+  # Adds credentials +user+, +pass+ for +uri+.  If +realm+ is set the
+  # credentials are used only for that realm.  If +realm+ is not set the
+  # credentials become the default for any realm on that URI.
+  #
+  # +domain+ and +realm+ are exclusive as NTLM does not follow RFC 2617.  If
+  # +domain+ is given it is only used for NTLM authentication.
+
+  def add_auth uri, user, password, realm = nil, domain = nil
+    @auth_store.add_auth uri, user, password, realm, domain
+  end
+
+  ##
+  # USE OF add_default_auth IS NOT RECOMMENDED AS IT MAY EXPOSE PASSWORDS TO
+  # THIRD PARTIES
+  #
+  # Adds credentials +user+, +pass+ as the default authentication credentials.
+  # If no other credentials are available  these will be returned from
+  # credentials_for.
+  #
+  # If +domain+ is given it is only used for NTLM authentication.
+
+  def add_default_auth user, password, domain = nil # :nodoc:
+    @auth_store.add_default_auth user, password, domain
+  end
+
+  ##
   # Retrieves +uri+ and parses it into a page or other object according to
   # PluggableParser.  If the URI is an HTTP or HTTPS scheme URI the given HTTP
   # +method+ is used to retrieve it, along with the HTTP +headers+, request
@@ -265,7 +288,7 @@ class Mechanize::HTTP::Agent
       response_authenticate(response, page, uri, request, headers, params,
                             referer)
     else
-      raise Mechanize::ResponseCodeError.new(page), "Unhandled response"
+      raise Mechanize::ResponseCodeError.new(page, 'unhandled response')
     end
   end
 
@@ -470,16 +493,18 @@ class Mechanize::HTTP::Agent
       request_auth_digest request, uri, realm, base_uri, false
     elsif realm = schemes[:iis_digest].find { |r| r.uri == base_uri } then
       request_auth_digest request, uri, realm, base_uri, true
-    elsif schemes[:basic].find { |r| r.uri == base_uri } then
-      request.basic_auth @user, @password
+    elsif realm = schemes[:basic].find { |r| r.uri == base_uri } then
+      user, password, = @auth_store.credentials_for uri, realm.realm
+      request.basic_auth user, password
     end
   end
 
   def request_auth_digest request, uri, realm, base_uri, iis
     challenge = @digest_challenges[realm]
 
-    uri.user = @user
-    uri.password = @password
+    user, password, = @auth_store.credentials_for uri, realm.realm
+    uri.user     = user
+    uri.password = password
 
     auth = @digest_auth.auth_header uri, challenge.to_s, request.method, iis
     request['Authorization'] = auth
@@ -523,8 +548,8 @@ class Mechanize::HTTP::Agent
   # major browsers do.
   def request_referer request, uri, referer
     return unless referer
-    return if 'https' == referer.scheme.downcase and
-              'https' != uri.scheme.downcase
+    return if 'https'.casecmp(referer.scheme) == 0 and
+              'https'.casecmp(uri.scheme) != 0
     if referer.fragment || referer.user || referer.password
       referer = referer.dup
       referer.fragment = referer.user = referer.password = nil
@@ -643,14 +668,20 @@ class Mechanize::HTTP::Agent
 
   def response_authenticate(response, page, uri, request, headers, params,
                             referer)
-    raise Mechanize::UnauthorizedError, page unless @user || @password
-
     www_authenticate = response['www-authenticate']
 
-    raise Mechanize::UnauthorizedError, page unless www_authenticate
-
+    unless www_authenticate = response['www-authenticate'] then
+      message = 'WWW-Authenticate header missing in response'
+      raise Mechanize::UnauthorizedError.new(page, nil, message)
+    end
+                                               
     challenges = @authenticate_parser.parse www_authenticate
 
+    unless @auth_store.credentials? uri, challenges then
+      message = "no credentials found, provide some with #add_auth"
+      raise Mechanize::UnauthorizedError.new(page, challenges, message)
+    end
+
     if challenge = challenges.find { |c| c.scheme =~ /^Digest$/i } then
       realm = challenge.realm uri
 
@@ -662,23 +693,30 @@ class Mechanize::HTTP::Agent
 
       existing_realms = @authenticate_methods[realm.uri][auth_scheme]
 
-      raise Mechanize::UnauthorizedError, page if
-        existing_realms.include? realm
+      if existing_realms.include? realm
+        message = 'Digest authentication failed'
+        raise Mechanize::UnauthorizedError.new(page, challeges, message)
+      end
 
       existing_realms << realm
       @digest_challenges[realm] = challenge
     elsif challenge = challenges.find { |c| c.scheme == 'NTLM' } then
       existing_realms = @authenticate_methods[uri + '/'][:ntlm]
 
-      raise Mechanize::UnauthorizedError, page if
-        existing_realms.include?(realm) and not challenge.params
+      if existing_realms.include?(realm) and not challenge.params then
+        message = 'NTLM authentication failed'
+        raise Mechanize::UnauthorizedError.new(page, challenges, message)
+      end
 
       existing_realms << realm
 
       if challenge.params then
         type_2 = Net::NTLM::Message.decode64 challenge.params
 
-        type_3 = type_2.response({ :user => @user, :password => @password, :domain => @domain },
+        user, password, domain = @auth_store.credentials_for uri, nil
+
+        type_3 = type_2.response({ :user => user, :password => password,
+                                   :domain => domain },
                                  { :ntlmv2 => true }).encode64
 
         headers['Authorization'] = "NTLM #{type_3}"
@@ -691,12 +729,15 @@ class Mechanize::HTTP::Agent
 
       existing_realms = @authenticate_methods[realm.uri][:basic]
 
-      raise Mechanize::UnauthorizedError, page if
-        existing_realms.include? realm
+      if existing_realms.include? realm then
+        message = 'Basic authentication failed'
+        raise Mechanize::UnauthorizedError.new(page, challenges, message)
+      end
 
       existing_realms << realm
     else
-      raise Mechanize::UnauthorizedError, page
+      message = 'unsupported authentication scheme'
+      raise Mechanize::UnauthorizedError.new(page, challenges, message)
     end
 
     fetch uri, request.method.downcase.to_sym, headers, params, referer
@@ -840,7 +881,7 @@ class Mechanize::HTTP::Agent
     body_io.flush
     body_io.rewind
 
-    raise Mechanize::ResponseCodeError, response if
+    raise Mechanize::ResponseCodeError.new(response, uri) if
       Net::HTTPUnknownResponse === response
 
     content_length = response.content_length
@@ -1126,3 +1167,5 @@ class Mechanize::HTTP::Agent
 
 end
 
+require 'mechanize/http/auth_store'
+

data/lib/mechanize/http/auth_challenge.rb

@@ -44,6 +44,13 @@ class Mechanize::HTTP
       end
     end
 
+    ##
+    # The name of the realm for this challenge
+
+    def realm_name
+      params['realm'] if Hash === params # NTLM has a string for params
+    end
+
     ##
     # The reconstructed, normalized challenge
 

data/lib/mechanize/http/auth_store.rb

@@ -0,0 +1,115 @@
+##
+# A credential store for HTTP authentication.
+#
+#   uri = URI 'http://example'
+#
+#   store = Mechanize::HTTP::AuthStore.new
+#   store.add_auth uri, 'user1', 'pass'
+#   store.add_auth uri, 'user2', 'pass', 'realm'
+#
+#   user, pass = store.credentials_for uri, 'realm' #=> 'user2', 'pass'
+#   user, pass = store.credentials_for uri, 'other' #=> 'user1', 'pass'
+#
+#   store.remove_auth uri # removes all credentials
+
+class Mechanize::HTTP::AuthStore
+
+  attr_reader :auth_accounts # :nodoc:
+
+  attr_reader :default_auth # :nodoc:
+
+  ##
+  # Creates a new AuthStore
+
+  def initialize
+    @auth_accounts = Hash.new do |h, uri|
+      h[uri] = {}
+    end
+
+    @default_auth = nil
+  end
+
+  ##
+  # Adds credentials +user+, +pass+ for the server at +uri+.  If +realm+ is
+  # set the credentials are used only for that realm.  If +realm+ is not set
+  # the credentials become the default for any realm on that URI.
+  #
+  # +domain+ and +realm+ are exclusive as NTLM does not follow RFC
+  # 2617.  If +domain+ is given it is only used for NTLM authentication.
+
+  def add_auth uri, user, pass, realm = nil, domain = nil
+    raise ArgumentError,
+          'NTLM domain given with realm which NTLM does not use' if
+      realm and domain
+
+    uri += '/'
+
+    auth_accounts[uri][realm] = [user, pass, domain]
+
+    self
+  end
+
+  ##
+  # USE OF add_default_auth IS NOT RECOMMENDED AS IT MAY EXPOSE PASSWORDS TO
+  # THIRD PARTIES
+  #
+  # Adds credentials +user+, +pass+ as the default authentication credentials.
+  # If no other credentials are available  these will be returned from
+  # credentials_for.
+  #
+  # If +domain+ is given it is only used for NTLM authentication.
+
+  def add_default_auth user, pass, domain = nil
+    warn <<-WARN
+You have supplied default authentication credentials that apply to ANY SERVER.
+Your username and password can be retrieved by ANY SERVER using Basic
+authentication.
+
+THIS EXPOSES YOUR USERNAME AND PASSWORD TO DISCLOSURE WITHOUT YOUR KNOWLEDGE.
+
+Use add_auth to set authentication credentials that will only be delivered
+only to a particular server you specify.
+    WARN
+
+    @default_auth = [user, pass, domain]
+  end
+
+  ##
+  # Returns true if credentials exist for the +challenges+ from the server at
+  # +uri+.
+
+  def credentials? uri, challenges
+    challenges.any? do |challenge|
+      credentials_for uri, challenge.realm_name
+    end
+  end
+
+  ##
+  # Retrieves credentials for +realm+ on the server at +uri+.
+
+  def credentials_for uri, realm
+    uri += '/'
+
+    realms = @auth_accounts[uri]
+
+    realms[realm] || realms[nil] || @default_auth
+  end
+
+  ##
+  # Removes credentials for +realm+ on the server at +uri+.  If +realm+ is not
+  # set all credentials for the server at +uri+ are removed.
+
+  def remove_auth uri, realm = nil
+    uri += '/'
+
+    if realm then
+      auth_accounts[uri].delete realm
+    else
+      auth_accounts.delete uri
+    end
+
+    self
+  end
+
+end
+

data/lib/mechanize/http/www_authenticate_parser.rb

@@ -45,6 +45,8 @@ class Mechanize::HTTP::WWWAuthenticateParser
 
         challenges << challenge
         next
+      else
+        scheme.capitalize!
       end
 
       next unless space
@@ -55,6 +57,8 @@ class Mechanize::HTTP::WWWAuthenticateParser
         pos = @scanner.pos
         name, value = auth_param
 
+        name.downcase! if name =~ /^realm$/i
+
         unless name then
           challenge.params = params
           challenges << challenge

data/lib/mechanize/page.rb

@@ -84,7 +84,7 @@ class Mechanize::Page < Mechanize::File
 
     if @parser
       parser_encoding = @parser.encoding
-      if (parser_encoding && parser_encoding.downcase) != (encoding && encoding.downcase)
+      if parser_encoding && encoding && parser_encoding.casecmp(encoding) != 0
         # lazy reinitialize the parser with the new encoding
         @parser = nil
       end

data/lib/mechanize/response_code_error.rb

@@ -7,13 +7,18 @@ class Mechanize::ResponseCodeError < Mechanize::Error
   attr_reader :response_code
   attr_reader :page
 
-  def initialize(page)
+  def initialize(page, message = nil)
+    super message
+
     @page          = page
     @response_code = page.code.to_s
   end
 
   def to_s
-    "#{@response_code} => #{Net::HTTPResponse::CODE_TO_OBJ[@response_code]}"
+    response_class = Net::HTTPResponse::CODE_TO_OBJ[@response_code]
+    out = "#{@response_code} => #{response_class} "
+    out << "for #{@page.uri} " if @page.respond_to? :uri # may be HTTPResponse
+    out << "-- #{super}"
   end
 
   alias inspect to_s

data/lib/mechanize/test_case.rb

@@ -120,21 +120,24 @@ end
 
 class BasicAuthServlet < WEBrick::HTTPServlet::AbstractServlet
   def do_GET(req,res)
-    htpd = WEBrick::HTTPAuth::Htpasswd.new('dot.htpasswd')
-    htpd.set_passwd('Blah', 'user', 'pass')
+    htpd = nil
+    Tempfile.open 'dot.htpasswd' do |io|
+      htpd = WEBrick::HTTPAuth::Htpasswd.new(io.path)
+      htpd.set_passwd('Blah', 'user', 'pass')
+    end
+
     authenticator = WEBrick::HTTPAuth::BasicAuth.new({
       :UserDB => htpd,
       :Realm  => 'Blah',
       :Logger => Logger.new(nil)
-    }
-                                                    )
-                                                    begin
-                                                      authenticator.authenticate(req,res)
-                                                      res.body = 'You are authenticated'
-                                                    rescue WEBrick::HTTPStatus::Unauthorized
-                                                      res.status = 401
-                                                    end
-                                                    FileUtils.rm('dot.htpasswd')
+    })
+
+    begin
+      authenticator.authenticate(req,res)
+      res.body = 'You are authenticated'
+    rescue WEBrick::HTTPStatus::Unauthorized
+      res.status = 401
+    end
   end
   alias :do_POST :do_GET
 end
@@ -148,29 +151,34 @@ class ContentTypeServlet < WEBrick::HTTPServlet::AbstractServlet
 end
 
 class DigestAuthServlet < WEBrick::HTTPServlet::AbstractServlet
-  htpd = WEBrick::HTTPAuth::Htdigest.new('digest.htpasswd')
-  htpd.set_passwd('Blah', 'user', 'pass')
+  htpd = nil
+
+  Tempfile.open 'digest.htpasswd' do |io|
+    htpd = WEBrick::HTTPAuth::Htdigest.new(io.path)
+    htpd.set_passwd('Blah', 'user', 'pass')
+  end
+
   @@authenticator = WEBrick::HTTPAuth::DigestAuth.new({
     :UserDB => htpd,
     :Realm  => 'Blah',
     :Algorithm => 'MD5',
     :Logger => Logger.new(nil)
-  }
-                                                     )
-                                                     def do_GET(req,res)
-                                                       def req.request_time; Time.now; end
-                                                       def req.request_uri; '/digest_auth'; end
-                                                       def req.request_method; "GET"; end
-
-                                                       begin
-                                                         @@authenticator.authenticate(req,res)
-                                                         res.body = 'You are authenticated'
-                                                       rescue WEBrick::HTTPStatus::Unauthorized
-                                                         res.status = 401
-                                                       end
-                                                       FileUtils.rm('digest.htpasswd') if File.exists?('digest.htpasswd')
-                                                     end
-                                                     alias :do_POST :do_GET
+  })
+
+  def do_GET(req,res)
+    def req.request_time; Time.now; end
+    def req.request_uri; '/digest_auth'; end
+    def req.request_method; "GET"; end
+
+    begin
+      @@authenticator.authenticate(req,res)
+      res.body = 'You are authenticated'
+    rescue WEBrick::HTTPStatus::Unauthorized
+      res.status = 401
+    end
+    FileUtils.rm('digest.htpasswd') if File.exists?('digest.htpasswd')
+  end
+  alias :do_POST :do_GET
 end
 
 class FileUploadServlet < WEBrick::HTTPServlet::AbstractServlet

data/lib/mechanize/unauthorized_error.rb

@@ -1,3 +1,22 @@
 class Mechanize::UnauthorizedError < Mechanize::ResponseCodeError
+
+  attr_reader :challenges
+
+  def initialize page, challenges, message
+    super page, message
+    @challenges = challenges
+  end
+
+  def to_s
+    out = super
+
+    if @challenges then
+      realms = @challenges.map { |challenge| challenge.realm_name }.join ', '
+      out << " -- available realms: #{realms}"
+    end
+
+    out
+  end
+
 end
 

data/test/test_mechanize.rb

@@ -41,9 +41,17 @@ class TestMechanize < Mechanize::TestCase
   end
 
   def test_basic_auth
-    @mech.basic_auth('user', 'pass')
-    page = @mech.get("http://localhost/basic_auth")
-    assert_equal('You are authenticated', page.body)
+    _, err = capture_io do
+      @mech.basic_auth 'user', 'pass' # warns
+    end
+
+    line = __LINE__ - 3
+    file = File.basename __FILE__
+
+    assert_match "#{file} line #{line}", err
+
+    page = @mech.get @uri + '/basic_auth'
+    assert_equal 'You are authenticated', page.body
   end
 
   def test_cert_key_file
@@ -326,7 +334,11 @@ but not <a href="/" rel="me nofollow">this</a>!
 
   def test_get_HTTP
     page = @mech.get('HTTP://localhost/', { :q => 'hello' })
-    assert_equal('HTTP://localhost/?q=hello', page.uri.to_s)
+
+    assert_kind_of URI::HTTP, page.uri
+    assert_equal 'localhost', page.uri.host
+    assert_equal 80,          page.uri.port
+    assert_equal '/?q=hello', page.uri.request_uri
   end
 
   def test_get_anchor
@@ -340,19 +352,19 @@ but not <a href="/" rel="me nofollow">this</a>!
     end
   end
 
-  def test_get_basic_auth_bad
-    @mech.basic_auth('aaron', 'aaron')
+  def test_get_auth_bad
+    @mech.add_auth(@uri, 'aaron', 'aaron')
 
     e = assert_raises Mechanize::UnauthorizedError do
-      @mech.get("http://localhost/basic_auth")
+      @mech.get(@uri + '/basic_auth')
     end
 
     assert_equal("401", e.response_code)
   end
 
-  def test_get_basic_auth_none
+  def test_get_auth_none
     e = assert_raises Mechanize::UnauthorizedError do
-      @mech.get("http://localhost/basic_auth")
+      @mech.get(@uri + '/basic_auth')
     end
 
     assert_equal("401", e.response_code)
@@ -374,7 +386,7 @@ but not <a href="/" rel="me nofollow">this</a>!
   def test_get_digest_auth
     block_called = false
 
-    @mech.basic_auth('user', 'pass')
+    @mech.add_auth(@uri, 'user', 'pass')
 
     @mech.pre_connect_hooks << lambda { |_, request|
       block_called = true
@@ -383,7 +395,7 @@ but not <a href="/" rel="me nofollow">this</a>!
       end
     }
 
-    page = @mech.get("http://localhost/digest_auth")
+    page = @mech.get(@uri + '/digest_auth')
     assert_equal('You are authenticated', page.body)
     assert block_called
   end
@@ -869,15 +881,15 @@ but not <a href="/" rel="me nofollow">this</a>!
     assert_equal "gender=female", requests.first.body
   end
 
-  def test_post_basic_auth
+  def test_post_auth
     requests = []
 
     @mech.pre_connect_hooks << proc { |agent, request|
       requests << request.class
     }
 
-    @mech.basic_auth('user', 'pass')
-    page = @mech.post("http://localhost/basic_auth")
+    @mech.add_auth(@uri, 'user', 'pass')
+    page = @mech.post(@uri + '/basic_auth')
     assert_equal('You are authenticated', page.body)
     assert_equal(2, requests.length)
     r1 = requests[0]

data/test/test_mechanize_http_agent.rb

@@ -164,7 +164,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
         @agent.fetch uri
       end
 
-      assert_equal '404 => Net::HTTPNotFound', e.message
+      assert_match "404 => Net::HTTPNotFound for #{uri}", e.message
     end
   end
 
@@ -436,8 +436,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_request_auth_basic
-    @agent.user = 'user'
-    @agent.password = 'password'
+    @agent.add_auth @uri, 'user', 'password'
 
     auth_realm @uri, 'Basic', :basic
 
@@ -447,8 +446,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_request_auth_digest
-    @agent.user = 'user'
-    @agent.password = 'password'
+    @agent.add_auth @uri, 'user', 'password'
 
     realm = auth_realm @uri, 'Digest', :digest
     @agent.digest_challenges[realm] = 'Digest realm=r, qop="auth"'
@@ -460,8 +458,7 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_request_auth_iis_digest
-    @agent.user = 'user'
-    @agent.password = 'password'
+    @agent.add_auth @uri, 'user', 'password'
 
     realm = auth_realm @uri, 'Digest', :digest
     @agent.digest_challenges[realm] = 'Digest realm=r, qop="auth"'
@@ -672,9 +669,9 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_response_authenticate
+    @agent.add_auth @uri, 'user', 'password'
+
     @res.instance_variable_set :@header, 'www-authenticate' => ['Basic realm=r']
-    @agent.user = 'user'
-    @agent.password = 'password'
 
     @agent.response_authenticate @res, nil, @uri, @req, {}, nil, nil
 
@@ -684,10 +681,10 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_response_authenticate_digest
+    @agent.add_auth @uri, 'user', 'password'
+
     @res.instance_variable_set(:@header,
                                'www-authenticate' => ['Digest realm=r'])
-    @agent.user = 'user'
-    @agent.password = 'password'
 
     @agent.response_authenticate @res, nil, @uri, @req, {}, nil, nil
 
@@ -700,12 +697,11 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_response_authenticate_digest_iis
+    @agent.add_auth @uri, 'user', 'password'
+
     @res.instance_variable_set(:@header,
                                'www-authenticate' => ['Digest realm=r'],
                                'server'           => ['Microsoft-IIS'])
-    @agent.user = 'user'
-    @agent.password = 'password'
-
     @agent.response_authenticate @res, nil, @uri, @req, {}, nil, nil
 
     base_uri = @uri + '/'
@@ -714,11 +710,11 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_response_authenticate_multiple
+    @agent.add_auth @uri, 'user', 'password'
+
     @res.instance_variable_set(:@header,
                                'www-authenticate' =>
                                  ['Basic realm=r, Digest realm=r'])
-    @agent.user = 'user'
-    @agent.password = 'password'
 
     @agent.response_authenticate @res, nil, @uri, @req, {}, nil, nil
 
@@ -729,25 +725,39 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     assert_empty @agent.authenticate_methods[base_uri][:basic]
   end
 
+  def test_response_authenticate_no_credentials
+    @res.instance_variable_set :@header, 'www-authenticate' => ['Basic realm=r']
+
+    e = assert_raises Mechanize::UnauthorizedError do
+      @agent.response_authenticate @res, fake_page, @uri, @req, {}, nil, nil
+    end
+
+    assert_match 'no credentials', e.message
+    assert_match 'available realms: r', e.message
+  end
+
   def test_response_authenticate_no_www_authenticate
-    denied = page URI('http://example/denied'), 'text/html', '', 403
-    @agent.user = 'user'
-    @agent.password = 'password'
+    @agent.add_auth @uri, 'user', 'password'
+
+    denied_uri = URI('http://example/denied')
+
+    denied = page denied_uri, 'text/html', '', 401
 
     e = assert_raises Mechanize::UnauthorizedError do
       @agent.response_authenticate @res, denied, @uri, @req, {}, nil, nil
     end
 
-    assert_equal '403 => Net::HTTPForbidden', e.message
+    assert_equal "401 => Net::HTTPUnauthorized for #{denied_uri} -- " \
+                 "WWW-Authenticate header missing in response",
+                 e.message
   end
 
   def test_response_authenticate_ntlm
     @uri += '/ntlm'
+    @agent.add_auth @uri, 'user', 'password'
+
     @res.instance_variable_set(:@header,
                                'www-authenticate' => ['Negotiate, NTLM'])
-    @agent.user = 'user'
-    @agent.password = 'password'
-    @agent.domain = 'domain'
 
     page = @agent.response_authenticate @res, nil, @uri, @req, {}, nil, nil
 
@@ -755,8 +765,8 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
   end
 
   def test_response_authenticate_unknown
-    @agent.user = 'user'
-    @agent.password = 'password'
+    @agent.add_auth @uri, 'user', 'password'
+
     page = Mechanize::File.new nil, nil, nil, 401
     @res.instance_variable_set(:@header,
                                'www-authenticate' => ['Unknown realm=r'])
@@ -1229,6 +1239,21 @@ class TestMechanizeHttpAgent < Mechanize::TestCase
     end
   end
 
+  def test_file_response_content_type
+    Tempfile.open ['pi','.nothtml'] do |tempfile|
+      res = Mechanize::FileResponse.new tempfile.path
+      assert_equal nil, res['content-type']
+    end
+    Tempfile.open ['pi','.xhtml'] do |tempfile|
+      res = Mechanize::FileResponse.new tempfile.path
+      assert_equal 'text/html', res['content-type']
+    end
+    Tempfile.open ['pi','.html'] do |tempfile|
+      res = Mechanize::FileResponse.new tempfile.path
+      assert_equal 'text/html', res['Content-Type']
+    end
+  end
+
   def test_response_read_large
     @agent.max_file_buffer = 10240
 

data/test/test_mechanize_http_auth_challenge.rb

@@ -35,5 +35,15 @@ class TestMechanizeHttpAuthChallenge < Mechanize::TestCase
     assert_equal 'unknown HTTP authentication scheme Unknown', e.message
   end
 
+  def test_realm_name
+    assert_equal 'r', @challenge.realm_name
+  end
+
+  def test_realm_name_ntlm
+    challenge = @AC.new 'Negotiate, NTLM'
+
+    assert_nil challenge.realm_name
+  end
+
 end
 

data/test/test_mechanize_http_auth_store.rb

@@ -0,0 +1,172 @@
+# coding: utf-8
+
+require 'mechanize/test_case'
+
+class TestMechanizeHttpAuthStore < Mechanize::TestCase
+
+  def setup
+    super
+
+    @store = Mechanize::HTTP::AuthStore.new
+
+    @uri = URI.parse 'http://example/'
+  end
+
+  def test_add_auth
+    @store.add_auth @uri + '/path', 'user', 'pass'
+
+    expected = {
+      @uri => {
+        nil => ['user', 'pass', nil],
+      }
+    }
+
+    assert_equal expected, @store.auth_accounts
+  end
+
+  def test_add_auth_domain
+    @store.add_auth @uri + '/path', 'user1', 'pass', nil, 'domain'
+
+    expected = {
+      @uri => {
+        nil => %w[user1 pass domain],
+      }
+    }
+
+    assert_equal expected, @store.auth_accounts
+
+    e = assert_raises ArgumentError do
+      @store.add_auth @uri, 'user3', 'pass', 'realm', 'domain'
+    end
+
+    assert_equal 'NTLM domain given with realm which NTLM does not use',
+                 e.message
+  end
+
+  def test_add_auth_realm
+    @store.add_auth @uri, 'user1', 'pass'
+    @store.add_auth @uri, 'user2', 'pass', 'realm'
+
+    expected = {
+      @uri => {
+        nil     => ['user1', 'pass', nil],
+        'realm' => ['user2', 'pass', nil],
+      }
+    }
+
+    assert_equal expected, @store.auth_accounts
+  end
+
+  def test_add_default_auth
+    _, err = capture_io do
+      @store.add_default_auth 'user', 'pass'
+    end
+
+    expected = ['user', 'pass', nil]
+
+    assert_equal expected, @store.default_auth
+
+    assert_match 'DISCLOSURE WITHOUT YOUR KNOWLEDGE', err
+
+    capture_io do
+      @store.add_default_auth 'user', 'pass', 'realm'
+    end
+
+    expected = %w[user pass realm]
+
+    assert_equal expected, @store.default_auth
+  end
+
+  def test_credentials_eh
+    challenges = [
+      Mechanize::HTTP::AuthChallenge.new('Basic',  'realm' => 'r'),
+      Mechanize::HTTP::AuthChallenge.new('Digest', 'realm' => 'r'),
+    ]
+
+    refute @store.credentials? @uri, challenges
+
+    @store.add_auth @uri, 'user', 'pass'
+
+    assert @store.credentials? @uri, challenges
+  end
+
+  def test_credentials_for
+    assert_nil @store.credentials_for(@uri, 'realm')
+
+    @store.add_auth @uri, 'user', 'pass', 'realm'
+
+    assert_equal ['user', 'pass', nil], @store.credentials_for(@uri, 'realm')
+    assert_nil @store.credentials_for(@uri, 'other')
+  end
+
+  def test_credentials_for_default
+    assert_nil @store.credentials_for(@uri, 'realm')
+
+    capture_io do
+      @store.add_default_auth 'user1', 'pass'
+    end
+
+    assert_equal ['user1', 'pass', nil], @store.credentials_for(@uri, 'realm')
+
+    @store.add_auth @uri, 'user2', 'pass'
+
+    assert_equal ['user2', 'pass', nil], @store.credentials_for(@uri, 'realm')
+    assert_equal ['user2', 'pass', nil], @store.credentials_for(@uri, 'other')
+  end
+
+  def test_credentials_for_no_realm
+    @store.add_auth @uri, 'user', 'pass' # no realm set
+
+    assert_equal ['user', 'pass', nil], @store.credentials_for(@uri, 'realm')
+  end
+
+  def test_credentials_for_realm
+    @store.add_auth @uri, 'user1', 'pass'
+    @store.add_auth @uri, 'user2', 'pass', 'realm'
+
+    assert_equal ['user2', 'pass', nil], @store.credentials_for(@uri, 'realm')
+    assert_equal ['user1', 'pass', nil], @store.credentials_for(@uri, 'other')
+  end
+
+  def test_credentials_for_path
+    @store.add_auth @uri, 'user', 'pass', 'realm'
+
+    uri = @uri + '/path'
+
+    assert_equal ['user', 'pass', nil], @store.credentials_for(uri, 'realm')
+  end
+
+  def test_remove_auth
+    @store.remove_auth @uri
+
+    assert_empty @store.auth_accounts
+  end
+
+  def test_remove_auth_both
+    @store.add_auth @uri, 'user1', 'pass'
+    @store.add_auth @uri, 'user2', 'pass', 'realm'
+
+    uri = @uri + '/path'
+
+    @store.remove_auth uri
+
+    assert_empty @store.auth_accounts
+  end
+
+  def test_remove_auth_realm
+    @store.add_auth @uri, 'user1', 'pass'
+    @store.add_auth @uri, 'user2', 'pass', 'realm'
+
+    @store.remove_auth @uri, 'realm'
+
+    expected = {
+      @uri => {
+        nil => ['user1', 'pass', nil]
+      }
+    }
+
+    assert_equal expected, @store.auth_accounts
+  end
+
+end
+

data/test/test_mechanize_http_www_authenticate_parser.rb

@@ -52,20 +52,20 @@ class TestMechanizeHttpWwwAuthenticateParser < Mechanize::TestCase
 
   def test_parse_multiple
     expected = [
-      challenge('Basic', { 'realm' => 'foo' }),
-      challenge('Digest', { 'realm' => 'foo' }),
+      challenge('Basic',  { 'realm' => 'foo' }),
+      challenge('Digest', { 'realm' => 'bar' }),
     ]
 
-    assert_equal expected, @parser.parse('Basic realm=foo, Digest realm=foo')
+    assert_equal expected, @parser.parse('Basic realm=foo, Digest realm=bar')
   end
 
   def test_parse_multiple_blank
     expected = [
-      challenge('Basic', { 'realm' => 'foo' }),
-      challenge('Digest', { 'realm' => 'foo' }),
+      challenge('Basic',  { 'realm' => 'foo' }),
+      challenge('Digest', { 'realm' => 'bar' }),
     ]
 
-    assert_equal expected, @parser.parse('Basic realm=foo,, Digest realm=foo')
+    assert_equal expected, @parser.parse('Basic realm=foo,, Digest realm=bar')
   end
 
   def test_parse_ntlm_init
@@ -84,6 +84,22 @@ class TestMechanizeHttpWwwAuthenticateParser < Mechanize::TestCase
     assert_equal expected, @parser.parse('NTLM foo=')
   end
 
+  def test_parse_realm_uppercase
+    expected = [
+      challenge('Basic', { 'realm' => 'foo' }),
+    ]
+
+    assert_equal expected, @parser.parse('Basic ReAlM=foo')
+  end
+
+  def test_parse_scheme_uppercase
+    expected = [
+      challenge('Basic', { 'realm' => 'foo' }),
+    ]
+
+    assert_equal expected, @parser.parse('BaSiC realm=foo')
+  end
+
   def test_quoted_string
     @parser.scanner = StringScanner.new '"text"'
 

metadata

@@ -1,12 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: mechanize
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 11
   prerelease: 
   segments: 
   - 2
-  - 3
-  version: "2.3"
+  - 4
+  version: "2.4"
 platform: ruby
 authors: 
 - Eric Hodel
@@ -18,9 +18,9 @@ bindir: bin
 cert_chain: 
 - |
   -----BEGIN CERTIFICATE-----
-  MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
+  MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
   YWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZFgNu
-  ZXQwHhcNMTIwMTMxMDEwMzUyWhcNMTMwMTMwMDEwMzUyWjBBMRAwDgYDVQQDDAdk
+  ZXQwHhcNMTIwMjI4MTc1NDI1WhcNMTMwMjI3MTc1NDI1WjBBMRAwDgYDVQQDDAdk
   cmJyYWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZ
   FgNuZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbbgLrGLGIDE76
   LV/cvxdEzCuYuS3oG9PrSZnuDweySUfdp/so0cDq+j8bqy6OzZSw07gdjwFMSd6J
@@ -28,17 +28,18 @@ cert_chain:
   Gj/okWrQl0NjYOYBpDi+9PPmaH2RmLJu0dB/NylsDnW5j6yN1BEI8MfJRR+HRKZY
   mUtgzBwF1V4KIZQ8EuL6I/nHVu07i6IkrpAgxpXUfdJQJi0oZAqXurAV3yTxkFwd
   g62YrrW26mDe+pZBzR6bpLE+PmXCzz7UxUq3AE0gPHbiMXie3EFE0oxnsU3lIduh
-  sCANiQ8BAgMBAAGjWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
+  sCANiQ8BAgMBAAGjezB5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
   BBS5k4Z75VSpdM0AclG2UvzFA/VW5DAfBgNVHREEGDAWgRRkcmJyYWluQHNlZ21l
-  bnQ3Lm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAge3LmAU2QbrS2/grAEmRu3bCCHrQ
-  NSc6j+p53VJ1DraNWEMY3D90F/SKzsI0SYgZb71i49k+pNA2CVXzEJAY7agZbjWJ
-  UbgGKN8u9SGbIoQPBPIl97JPIGlR7AoEdmlWyFySaZD4o6+Q0onUXIV+P/KrYTVb
-  Zj/NEjHGrvskpDzlYI2LvG71DFp1o0hfIZzdvfWLAMVqtuEjJ6QrUm9FttR06rNo
-  itgEKl/tNI4M9oKJT0faQ5PvJ70ualcLnwkBLyJVd2r8qwxfjUAjKF8iMpBSb98s
-  YJY7T/W2n+eWy8WuPhzVUkyzguj0bQe27NDeabgCh2mHd4Hynk2AkYh8MQ==
+  bnQ3Lm5ldDAfBgNVHRIEGDAWgRRkcmJyYWluQHNlZ21lbnQ3Lm5ldDANBgkqhkiG
+  9w0BAQUFAAOCAQEAPeWzFnrcvC6eVzdlhmjUub2s6qieBkongKRDHQz5MEeQv4LS
+  SARnoHY+uCAVL/1xGAhmpzqQ3fJGWK9eBacW/e8E5GF9xQcV3mE1bA0WNaiDlX5j
+  U2aI+ZGSblqvHUCxKBHR1s7UMHsbz1saOmgdRTyPx0juJs68ocbUTeYBLWu9V4KP
+  zdGAG2JXO2gONg3b4tYDvpBLbry+KOX27iAJulUaH9TiTOULL4ITJVFsK0mYVqmR
+  Q8Tno9S3e4XGGP1ZWfLrTWEJbavFfhGHut2iMRwfC7s/YILAHNATopaJdH9DNpd1
+  U81zGHMUBOvz/VGT6wJwYJ3emS2nfA2NOHFfgA==
   -----END CERTIFICATE-----
 
-date: 2012-02-21 00:00:00 Z
+date: 2012-04-21 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: net-http-digest_auth
@@ -201,11 +202,11 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 23
+        hash: 21
         segments: 
         - 2
-        - 10
-        version: "2.10"
+        - 11
+        version: "2.11"
   type: :development
   version_requirements: *id008
 - !ruby/object:Gem::Dependency 
@@ -231,11 +232,11 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 25
+        hash: 35
         segments: 
         - 2
-        - 13
-        version: "2.13"
+        - 16
+        version: "2.16"
   type: :development
   version_requirements: *id010
 description: |-
@@ -254,11 +255,11 @@ executables: []
 extensions: []
 
 extra_rdoc_files: 
-- Manifest.txt
 - CHANGELOG.rdoc
 - EXAMPLES.rdoc
 - GUIDE.rdoc
 - LICENSE.rdoc
+- Manifest.txt
 - README.rdoc
 files: 
 - .autotest
@@ -309,6 +310,7 @@ files:
 - lib/mechanize/http/agent.rb
 - lib/mechanize/http/auth_challenge.rb
 - lib/mechanize/http/auth_realm.rb
+- lib/mechanize/http/auth_store.rb
 - lib/mechanize/http/content_disposition_parser.rb
 - lib/mechanize/http/www_authenticate_parser.rb
 - lib/mechanize/image.rb
@@ -408,6 +410,7 @@ files:
 - test/test_mechanize_http_agent.rb
 - test/test_mechanize_http_auth_challenge.rb
 - test/test_mechanize_http_auth_realm.rb
+- test/test_mechanize_http_auth_store.rb
 - test/test_mechanize_http_content_disposition_parser.rb
 - test/test_mechanize_http_www_authenticate_parser.rb
 - test/test_mechanize_image.rb
@@ -459,7 +462,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: mechanize
-rubygems_version: 1.8.12
+rubygems_version: 1.8.21
 signing_key: 
 specification_version: 3
 summary: The Mechanize library is used for automating interaction with websites
@@ -490,6 +493,7 @@ test_files:
 - test/test_mechanize_http_agent.rb
 - test/test_mechanize_http_auth_challenge.rb
 - test/test_mechanize_http_auth_realm.rb
+- test/test_mechanize_http_auth_store.rb
 - test/test_mechanize_http_content_disposition_parser.rb
 - test/test_mechanize_http_www_authenticate_parser.rb
 - test/test_mechanize_image.rb