A test to show that http_authentication needs to fail authentication if the password procedure returns nil. Also includes a fix to validate_digest_response to fail validation if the password procedure returns nil.

Signed-off-by: Michael Koziarski <michael@koziarski.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/actionpack/test/controller/http_digest_authentication_test.rb b/actionpack/test/controller/http_digest_authentication_test.rb
index 15a11395bb..58f3b88075 100644
--- a/actionpack/test/controller/http_digest_authentication_test.rb
+++ b/actionpack/test/controller/http_digest_authentication_test.rb
@@ -76,6 +76,15 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     assert_equal 'SuperSecret', credentials[:realm]
   end
 
+  test "authentication request with nil credentials" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+    get :index
+
+    assert_response :unauthorized
+    assert_equal "HTTP Digest: Access denied.\n", @response.body, "Authentication didn't fail for request"
+    assert_not_equal 'Hello Secret', @response.body, "Authentication didn't fail for request"
+  end
+
   test "authentication request with invalid password" do
     @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'foo')
     get :display
@@ -168,6 +177,11 @@ class HttpDigestAuthenticationTest < ActionController::TestCase
     assert_equal 'Definitely Maybe', @response.body
   end
 
+  test "validate_digest_response should fail with nil returning password_procedure" do
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => nil, :password => nil)
+    assert !ActionController::HttpAuthentication::Digest.validate_digest_response(@request, "SuperSecret"){nil}
+  end
+
   private
 
   def encode_credentials(options)