sdk/go/keepclient/perms_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: Apache-2.0
   4
   5 package keepclient
   6
   7 import (
   8         "testing"
   9         "time"
  10 )
  11
  12 const (
  13         knownHash    = "acbd18db4cc2f85cedef654fccc4a4d8"
  14         knownLocator = knownHash + "+3"
  15         knownToken   = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk"
  16         knownKey     = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" +
  17                 "p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc" +
  18                 "ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4" +
  19                 "jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y" +
  20                 "gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6" +
  21                 "vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei" +
  22                 "786u5rw2a9gx743dj3fgq2irk"
  23         knownSignature     = "89118b78732c33104a4d6231e8b5a5fa1e4301e3"
  24         knownTimestamp     = "7fffffff"
  25         knownSigHint       = "+A" + knownSignature + "@" + knownTimestamp
  26         knownSignedLocator = knownLocator + knownSigHint
  27         blobSignatureTTL   = 1209600 * time.Second
  28 )
  29
  30 func TestSignLocator(t *testing.T) {
  31         if ts, err := parseHexTimestamp(knownTimestamp); err != nil {
  32                 t.Errorf("bad knownTimestamp %s", knownTimestamp)
  33         } else {
  34                 if knownSignedLocator != SignLocator(knownLocator, knownToken, ts, blobSignatureTTL, []byte(knownKey)) {
  35                         t.Fail()
  36                 }
  37         }
  38 }
  39
  40 func TestVerifySignature(t *testing.T) {
  41         if VerifySignature(knownSignedLocator, knownToken, blobSignatureTTL, []byte(knownKey)) != nil {
  42                 t.Fail()
  43         }
  44 }
  45
  46 func TestVerifySignatureExtraHints(t *testing.T) {
  47         if VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)) != nil {
  48                 t.Fatal("Verify cannot handle hint before permission signature")
  49         }
  50
  51         if VerifySignature(knownLocator+knownSigHint+"+Zfoo", knownToken, blobSignatureTTL, []byte(knownKey)) != nil {
  52                 t.Fatal("Verify cannot handle hint after permission signature")
  53         }
  54
  55         if VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint+"+Zfoo", knownToken, blobSignatureTTL, []byte(knownKey)) != nil {
  56                 t.Fatal("Verify cannot handle hints around permission signature")
  57         }
  58 }
  59
  60 // The size hint on the locator string should not affect signature validation.
  61 func TestVerifySignatureWrongSize(t *testing.T) {
  62         if VerifySignature(knownHash+"+999999"+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)) != nil {
  63                 t.Fatal("Verify cannot handle incorrect size hint")
  64         }
  65
  66         if VerifySignature(knownHash+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)) != nil {
  67                 t.Fatal("Verify cannot handle missing size hint")
  68         }
  69 }
  70
  71 func TestVerifySignatureBadSig(t *testing.T) {
  72         badLocator := knownLocator + "+Aaaaaaaaaaaaaaaa@" + knownTimestamp
  73         if VerifySignature(badLocator, knownToken, blobSignatureTTL, []byte(knownKey)) != ErrSignatureMissing {
  74                 t.Fail()
  75         }
  76 }
  77
  78 func TestVerifySignatureBadTimestamp(t *testing.T) {
  79         badLocator := knownLocator + "+A" + knownSignature + "@OOOOOOOl"
  80         if VerifySignature(badLocator, knownToken, blobSignatureTTL, []byte(knownKey)) != ErrSignatureMissing {
  81                 t.Fail()
  82         }
  83 }
  84
  85 func TestVerifySignatureBadSecret(t *testing.T) {
  86         if VerifySignature(knownSignedLocator, knownToken, blobSignatureTTL, []byte("00000000000000000000")) != ErrSignatureInvalid {
  87                 t.Fail()
  88         }
  89 }
  90
  91 func TestVerifySignatureBadToken(t *testing.T) {
  92         if VerifySignature(knownSignedLocator, "00000000", blobSignatureTTL, []byte(knownKey)) != ErrSignatureInvalid {
  93                 t.Fail()
  94         }
  95 }
  96
  97 func TestVerifySignatureExpired(t *testing.T) {
  98         yesterday := time.Now().AddDate(0, 0, -1)
  99         expiredLocator := SignLocator(knownHash, knownToken, yesterday, blobSignatureTTL, []byte(knownKey))
 100         if VerifySignature(expiredLocator, knownToken, blobSignatureTTL, []byte(knownKey)) != ErrSignatureExpired {
 101                 t.Fail()
 102         }
 103 }