sdk/go/arvados/blob_signature_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: Apache-2.0
   4
   5 package arvados
   6
   7 import (
   8         "time"
   9
  10         check "gopkg.in/check.v1"
  11 )
  12
  13 const (
  14         knownHash    = "acbd18db4cc2f85cedef654fccc4a4d8"
  15         knownLocator = knownHash + "+3"
  16         knownToken   = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk"
  17         knownKey     = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" +
  18                 "p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc" +
  19                 "ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4" +
  20                 "jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y" +
  21                 "gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6" +
  22                 "vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei" +
  23                 "786u5rw2a9gx743dj3fgq2irk"
  24         knownSignature     = "89118b78732c33104a4d6231e8b5a5fa1e4301e3"
  25         knownTimestamp     = "7fffffff"
  26         knownSigHint       = "+A" + knownSignature + "@" + knownTimestamp
  27         knownSignedLocator = knownLocator + knownSigHint
  28         blobSignatureTTL   = 1209600 * time.Second
  29 )
  30
  31 var _ = check.Suite(&BlobSignatureSuite{})
  32
  33 type BlobSignatureSuite struct{}
  34
  35 func (s *BlobSignatureSuite) BenchmarkSignManifest(c *check.C) {
  36         DebugLocksPanicMode = false
  37         ts, err := parseHexTimestamp(knownTimestamp)
  38         c.Check(err, check.IsNil)
  39         c.Logf("test manifest is %d bytes", len(bigmanifest))
  40         for i := 0; i < c.N; i++ {
  41                 m := SignManifest(bigmanifest, knownToken, ts, blobSignatureTTL, []byte(knownKey))
  42                 c.Check(m, check.Not(check.Equals), "")
  43         }
  44 }
  45
  46 func (s *BlobSignatureSuite) TestSignLocator(c *check.C) {
  47         ts, err := parseHexTimestamp(knownTimestamp)
  48         c.Check(err, check.IsNil)
  49         c.Check(SignLocator(knownLocator, knownToken, ts, blobSignatureTTL, []byte(knownKey)), check.Equals, knownSignedLocator)
  50 }
  51
  52 func (s *BlobSignatureSuite) TestVerifySignature(c *check.C) {
  53         c.Check(VerifySignature(knownSignedLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
  54 }
  55
  56 func (s *BlobSignatureSuite) TestVerifySignatureExtraHints(c *check.C) {
  57         // handle hint before permission signature
  58         c.Check(VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
  59
  60         // handle hint after permission signature
  61         c.Check(VerifySignature(knownLocator+knownSigHint+"+Zfoo", knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
  62
  63         // handle hints around permission signature
  64         c.Check(VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint+"+Zfoo", knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
  65 }
  66
  67 // The size hint on the locator string should not affect signature
  68 // validation.
  69 func (s *BlobSignatureSuite) TestVerifySignatureWrongSize(c *check.C) {
  70         // handle incorrect size hint
  71         c.Check(VerifySignature(knownHash+"+999999"+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
  72
  73         // handle missing size hint
  74         c.Check(VerifySignature(knownHash+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
  75 }
  76
  77 func (s *BlobSignatureSuite) TestVerifySignatureBadSig(c *check.C) {
  78         badLocator := knownLocator + "+Aaaaaaaaaaaaaaaa@" + knownTimestamp
  79         c.Check(VerifySignature(badLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureMissing)
  80 }
  81
  82 func (s *BlobSignatureSuite) TestVerifySignatureBadTimestamp(c *check.C) {
  83         badLocator := knownLocator + "+A" + knownSignature + "@OOOOOOOl"
  84         c.Check(VerifySignature(badLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureMissing)
  85 }
  86
  87 func (s *BlobSignatureSuite) TestVerifySignatureBadSecret(c *check.C) {
  88         c.Check(VerifySignature(knownSignedLocator, knownToken, blobSignatureTTL, []byte("00000000000000000000")), check.Equals, ErrSignatureInvalid)
  89 }
  90
  91 func (s *BlobSignatureSuite) TestVerifySignatureBadToken(c *check.C) {
  92         c.Check(VerifySignature(knownSignedLocator, "00000000", blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureInvalid)
  93 }
  94
  95 func (s *BlobSignatureSuite) TestVerifySignatureExpired(c *check.C) {
  96         yesterday := time.Now().AddDate(0, 0, -1)
  97         expiredLocator := SignLocator(knownHash, knownToken, yesterday, blobSignatureTTL, []byte(knownKey))
  98         c.Check(VerifySignature(expiredLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureExpired)
  99 }