software/dufs: version up dufs 0.34.1

Also switch to basic authentication, this is generally more supported
than digest; keeweb for example only supports basic authentication. It
seems less secure though ( https://github.com/sigoden/dufs/issues/228 )

software/dufs/buildout.hash.cfg

@@ -15,4 +15,4 @@
 
 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = 0cb3cbac5479581985e5446078217686
+md5sum = 9ed5d03f4f0cdc022f28b39e8ff1323e

software/dufs/instance.cfg.in

@@ -143,8 +143,9 @@ command-line =
     --bind ${:ip}
     --port ${:port}
     --allow-all
-    --auth /@${admin-password:user}:${admin-password:passwd}
-    --auth /pub@${admin-password:user}:${admin-password:passwd}@*
+    --auth-method basic
+    --auth ${admin-password:user}:${admin-password:passwd}@/:rw
+    --auth @/pub
     --tls-cert ${dufs-certificate:cert-file}
     --tls-key ${dufs-certificate:key-file}
     ${directory:dufs-data-dir}

software/dufs/software.cfg

@@ -14,8 +14,8 @@ parts =
 [dufs]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://github.com/sigoden/dufs/archive/refs/tags/v0.31.0.tar.gz
-md5sum = 4340e59915605e30dcdb70aa9eb06acb
+url = https://github.com/sigoden/dufs/archive/refs/tags/v0.34.1.tar.gz
+md5sum = 77cbb2523aca8dad90fd77ee0277704f
 configure-command = :
 make-binary = cargo install --root=%(location)s --path .
 make-targets =

software/dufs/test/test.py

@@ -67,38 +67,50 @@ class TestFileServer(SlapOSInstanceTestCase):
     )
     self.assertEqual(resp.status_code, requests.codes.ok)
 
-    resp = requests.get(
-      urllib.parse.urljoin(self.connection_parameters['public-url'], '..'),
-      verify=self.ca_cert,
-    )
-    self.assertEqual(resp.status_code, requests.codes.unauthorized)
+    with open(os.path.join(self.computer_partition_root_path, 'srv', 'www', 'secret.txt'), 'w'):
+      resp = requests.get(
+        urllib.parse.urljoin(self.connection_parameters['public-url'], '../secret.txt'),
+        verify=self.ca_cert,
+      )
+      self.assertEqual(resp.status_code, requests.codes.unauthorized)
+      resp = requests.get(
+        urllib.parse.urljoin(self.connection_parameters['public-url'], '../not-exist.txt'),
+        verify=self.ca_cert,
+      )
+      self.assertEqual(resp.status_code, requests.codes.unauthorized)
 
-  def test_upload_file_refused_without_digest_auth(self):
+      # index is allowed on / but it only shows /pub/
+      resp = requests.get(
+        urllib.parse.urljoin(self.connection_parameters['public-url'], '..'),
+        verify=self.ca_cert,
+      )
+      self.assertIn('pub', resp.text)
+      self.assertNotIn('secret', resp.text)
+      self.assertEqual(resp.status_code, requests.codes.ok)
+
+  def test_upload_file_refused_without_auth(self):
+    parsed_upload_url = urllib.parse.urlparse(self.connection_parameters['upload-url'])
+    # upload-url has username:password, remove it
+    self.assertTrue(parsed_upload_url.password)
+    upload_url = parsed_upload_url._replace(
+      netloc=f'[{parsed_upload_url.hostname}]:{parsed_upload_url.port}').geturl()
     resp = requests.put(
-      urllib.parse.urljoin(self.connection_parameters['upload-url'], 'hello.txt'),
+      urllib.parse.urljoin(upload_url, 'hello.txt'),
       data=io.BytesIO(b'hello'),
       verify=self.ca_cert,
     )
     self.assertEqual(resp.status_code, requests.codes.unauthorized)
 
   def test_upload_file(self):
-    parsed_url = urllib.parse.urlparse(self.connection_parameters['upload-url'])
-    auth = requests.auth.HTTPDigestAuth(
-      parsed_url.username,
-      parsed_url.password,
-    )
-
     resp = requests.put(
       urllib.parse.urljoin(self.connection_parameters['upload-url'], 'hello.txt'),
       data=io.BytesIO(b'hello'),
-      auth=auth,
       verify=self.ca_cert,
     )
     self.assertEqual(resp.status_code, requests.codes.created)
 
     resp = requests.get(
       urllib.parse.urljoin(self.connection_parameters['upload-url'], 'hello.txt'),
-      auth=auth,
       verify=self.ca_cert,
     )
     self.assertEqual(resp.text, 'hello')