Merge branch '18051-collectionfs'
[arvados.git] / sdk / go / arvados / blob_signature_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: Apache-2.0
4
5 package arvados
6
7 import (
8         "time"
9
10         check "gopkg.in/check.v1"
11 )
12
13 const (
14         knownHash    = "acbd18db4cc2f85cedef654fccc4a4d8"
15         knownLocator = knownHash + "+3"
16         knownToken   = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk"
17         knownKey     = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" +
18                 "p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc" +
19                 "ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4" +
20                 "jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y" +
21                 "gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6" +
22                 "vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei" +
23                 "786u5rw2a9gx743dj3fgq2irk"
24         knownSignature     = "89118b78732c33104a4d6231e8b5a5fa1e4301e3"
25         knownTimestamp     = "7fffffff"
26         knownSigHint       = "+A" + knownSignature + "@" + knownTimestamp
27         knownSignedLocator = knownLocator + knownSigHint
28         blobSignatureTTL   = 1209600 * time.Second
29 )
30
31 var _ = check.Suite(&BlobSignatureSuite{})
32
33 type BlobSignatureSuite struct{}
34
35 func (s *BlobSignatureSuite) TestSignLocator(c *check.C) {
36         ts, err := parseHexTimestamp(knownTimestamp)
37         c.Check(err, check.IsNil)
38         c.Check(SignLocator(knownLocator, knownToken, ts, blobSignatureTTL, []byte(knownKey)), check.Equals, knownSignedLocator)
39 }
40
41 func (s *BlobSignatureSuite) TestVerifySignature(c *check.C) {
42         c.Check(VerifySignature(knownSignedLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
43 }
44
45 func (s *BlobSignatureSuite) TestVerifySignatureExtraHints(c *check.C) {
46         // handle hint before permission signature
47         c.Check(VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
48
49         // handle hint after permission signature
50         c.Check(VerifySignature(knownLocator+knownSigHint+"+Zfoo", knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
51
52         // handle hints around permission signature
53         c.Check(VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint+"+Zfoo", knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
54 }
55
56 // The size hint on the locator string should not affect signature
57 // validation.
58 func (s *BlobSignatureSuite) TestVerifySignatureWrongSize(c *check.C) {
59         // handle incorrect size hint
60         c.Check(VerifySignature(knownHash+"+999999"+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
61
62         // handle missing size hint
63         c.Check(VerifySignature(knownHash+knownSigHint, knownToken, blobSignatureTTL, []byte(knownKey)), check.IsNil)
64 }
65
66 func (s *BlobSignatureSuite) TestVerifySignatureBadSig(c *check.C) {
67         badLocator := knownLocator + "+Aaaaaaaaaaaaaaaa@" + knownTimestamp
68         c.Check(VerifySignature(badLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureMissing)
69 }
70
71 func (s *BlobSignatureSuite) TestVerifySignatureBadTimestamp(c *check.C) {
72         badLocator := knownLocator + "+A" + knownSignature + "@OOOOOOOl"
73         c.Check(VerifySignature(badLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureMissing)
74 }
75
76 func (s *BlobSignatureSuite) TestVerifySignatureBadSecret(c *check.C) {
77         c.Check(VerifySignature(knownSignedLocator, knownToken, blobSignatureTTL, []byte("00000000000000000000")), check.Equals, ErrSignatureInvalid)
78 }
79
80 func (s *BlobSignatureSuite) TestVerifySignatureBadToken(c *check.C) {
81         c.Check(VerifySignature(knownSignedLocator, "00000000", blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureInvalid)
82 }
83
84 func (s *BlobSignatureSuite) TestVerifySignatureExpired(c *check.C) {
85         yesterday := time.Now().AddDate(0, 0, -1)
86         expiredLocator := SignLocator(knownHash, knownToken, yesterday, blobSignatureTTL, []byte(knownKey))
87         c.Check(VerifySignature(expiredLocator, knownToken, blobSignatureTTL, []byte(knownKey)), check.Equals, ErrSignatureExpired)
88 }