4717: use keep_services -> read_only flag in go sdk.
[arvados.git] / services / keepstore / perms_test.go
1 package main
2
3 import (
4         "testing"
5         "time"
6 )
7
8 const (
9         known_hash    = "acbd18db4cc2f85cedef654fccc4a4d8"
10         known_locator = known_hash + "+3"
11         known_token   = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk"
12         known_key     = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" +
13                 "p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc" +
14                 "ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4" +
15                 "jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y" +
16                 "gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6" +
17                 "vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei" +
18                 "786u5rw2a9gx743dj3fgq2irk"
19         known_signature      = "257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a"
20         known_timestamp      = "7fffffff"
21         known_sig_hint       = "+A" + known_signature + "@" + known_timestamp
22         known_signed_locator = known_locator + known_sig_hint
23 )
24
25 func TestSignLocator(t *testing.T) {
26         PermissionSecret = []byte(known_key)
27         defer func() { PermissionSecret = nil }()
28
29         if ts, err := ParseHexTimestamp(known_timestamp); err != nil {
30                 t.Errorf("bad known_timestamp %s", known_timestamp)
31         } else {
32                 if known_signed_locator != SignLocator(known_locator, known_token, ts) {
33                         t.Fail()
34                 }
35         }
36 }
37
38 func TestVerifySignature(t *testing.T) {
39         PermissionSecret = []byte(known_key)
40         defer func() { PermissionSecret = nil }()
41
42         if !VerifySignature(known_signed_locator, known_token) {
43                 t.Fail()
44         }
45 }
46
47 func TestVerifySignatureExtraHints(t *testing.T) {
48         PermissionSecret = []byte(known_key)
49         defer func() { PermissionSecret = nil }()
50
51         if !VerifySignature(known_locator+"+K@xyzzy"+known_sig_hint, known_token) {
52                 t.Fatal("Verify cannot handle hint before permission signature")
53         }
54
55         if !VerifySignature(known_locator+known_sig_hint+"+Zfoo", known_token) {
56                 t.Fatal("Verify cannot handle hint after permission signature")
57         }
58
59         if !VerifySignature(known_locator+"+K@xyzzy"+known_sig_hint+"+Zfoo", known_token) {
60                 t.Fatal("Verify cannot handle hints around permission signature")
61         }
62 }
63
64 // The size hint on the locator string should not affect signature validation.
65 func TestVerifySignatureWrongSize(t *testing.T) {
66         PermissionSecret = []byte(known_key)
67         defer func() { PermissionSecret = nil }()
68
69         if !VerifySignature(known_hash+"+999999"+known_sig_hint, known_token) {
70                 t.Fatal("Verify cannot handle incorrect size hint")
71         }
72
73         if !VerifySignature(known_hash+known_sig_hint, known_token) {
74                 t.Fatal("Verify cannot handle missing size hint")
75         }
76 }
77
78 func TestVerifySignatureBadSig(t *testing.T) {
79         PermissionSecret = []byte(known_key)
80         defer func() { PermissionSecret = nil }()
81
82         bad_locator := known_locator + "+Aaaaaaaaaaaaaaaa@" + known_timestamp
83         if VerifySignature(bad_locator, known_token) {
84                 t.Fail()
85         }
86 }
87
88 func TestVerifySignatureBadTimestamp(t *testing.T) {
89         PermissionSecret = []byte(known_key)
90         defer func() { PermissionSecret = nil }()
91
92         bad_locator := known_locator + "+A" + known_signature + "@00000000"
93         if VerifySignature(bad_locator, known_token) {
94                 t.Fail()
95         }
96 }
97
98 func TestVerifySignatureBadSecret(t *testing.T) {
99         PermissionSecret = []byte("00000000000000000000")
100         defer func() { PermissionSecret = nil }()
101
102         if VerifySignature(known_signed_locator, known_token) {
103                 t.Fail()
104         }
105 }
106
107 func TestVerifySignatureBadToken(t *testing.T) {
108         PermissionSecret = []byte(known_key)
109         defer func() { PermissionSecret = nil }()
110
111         if VerifySignature(known_signed_locator, "00000000") {
112                 t.Fail()
113         }
114 }
115
116 func TestVerifySignatureExpired(t *testing.T) {
117         PermissionSecret = []byte(known_key)
118         defer func() { PermissionSecret = nil }()
119
120         yesterday := time.Now().AddDate(0, 0, -1)
121         expired_locator := SignLocator(known_hash, known_token, yesterday)
122         if VerifySignature(expired_locator, known_token) {
123                 t.Fail()
124         }
125 }