From 79bbdd29485ecbee78817728d52efb351bf72a3f Mon Sep 17 00:00:00 2001
From: Val Lorentz <progval+git@progval.net>
Date: Mon, 29 May 2023 11:53:08 +0200
Subject: [PATCH] sasl: Add tests for signature failure from the server (#179)

---
 .github/workflows/test-stable.yml |  2 +-
 irctest/client_tests/sasl.py      | 32 ++++++++++++++++++++++++++++++-
 workflows.yml                     |  2 +-
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test-stable.yml b/.github/workflows/test-stable.yml
index 9341a6c..97e5409 100644
--- a/.github/workflows/test-stable.yml
+++ b/.github/workflows/test-stable.yml
@@ -894,7 +894,7 @@ jobs:
       with:
         python-version: 3.7
     - name: Install dependencies
-      run: pip install limnoria==2022.03.17 cryptography pyxmpp2-scram
+      run: pip install limnoria==2023.5.27 cryptography pyxmpp2-scram
     - name: Install system dependencies
       run: sudo apt-get install atheme-services faketime
     - name: Install irctest dependencies
diff --git a/irctest/client_tests/sasl.py b/irctest/client_tests/sasl.py
index 44f5e76..8e38305 100644
--- a/irctest/client_tests/sasl.py
+++ b/irctest/client_tests/sasl.py
@@ -228,7 +228,7 @@ class SaslTestCase(cases.BaseClientTestCase):
         self.assertEqual(m.params, ["+"], m)
 
     @cases.skipUnlessHasMechanism("SCRAM-SHA-256")
-    def testScramBadPassword(self):
+    def testScramBadPassword(self, server_fakes_success=False, fake_response=None):
         """Test SCRAM-SHA-256 authentication with a bad password."""
         auth = authentication.Authentication(
             mechanisms=[authentication.Mechanisms.scram_sha_256],
@@ -261,6 +261,36 @@ class SaslTestCase(cases.BaseClientTestCase):
         with self.assertRaises(scram.NotAuthorizedException):
             authenticator.response(msg)
 
+        if server_fakes_success:
+            self.sendLine(f"AUTHENTICATE :{fake_response}")
+
+            m = self.getMessage()
+            while m.command == "PING":
+                self.sendLine(f"PONG server. {m.params[-1]}")
+                m = self.getMessage()
+            self.assertMessageMatch(
+                m,
+                command="AUTHENTICATE",
+                params=["*"],
+                fail_msg="Client did not abort: {msg}",
+            )
+
+    @cases.skipUnlessHasMechanism("SCRAM-SHA-256")
+    @pytest.mark.parametrize(
+        "fake_response",
+        [
+            "",
+            "AAAA",
+            "dj1ubU1mM1FIV2NKUWk5cE1ndHFLU0tQclZueUk2c3FOTzZJN3BFLzBveUdjPQ==",
+        ],
+    )
+    def testScramMaliciousServer(self, fake_response):
+        """Test SCRAM-SHA-256 authentication to a server which pretends to know
+        the password"""
+        self.testScramBadPassword(
+            server_fakes_success=True, fake_response=fake_response
+        )
+
 
 class Irc302SaslTestCase(cases.BaseClientTestCase):
     @cases.skipUnlessHasMechanism("PLAIN")
diff --git a/workflows.yml b/workflows.yml
index e7b77a2..13b2de5 100644
--- a/workflows.yml
+++ b/workflows.yml
@@ -355,7 +355,7 @@ software:
         install_steps:
             stable:
                 - name: Install dependencies
-                  run: pip install limnoria==2022.03.17 cryptography pyxmpp2-scram
+                  run: pip install limnoria==2023.5.27 cryptography pyxmpp2-scram
             release:
                 - name: Install dependencies
                   run: pip install limnoria cryptography pyxmpp2-scram