X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3ee62426a5ebfc056f58cd0655ba1e9f7ed0a722..a5ed26a2a1d01646ac511b925f56484be2e8819a:/services/keepstore/perms_test.go

diff --git a/services/keepstore/perms_test.go b/services/keepstore/perms_test.go
index 9b4e30abe3..f4443fc7be 100644
--- a/services/keepstore/perms_test.go
+++ b/services/keepstore/perms_test.go
@@ -24,103 +24,39 @@ const (
 )
 
 func TestSignLocator(t *testing.T) {
-	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
+	defer func(b []byte) {
+		PermissionSecret = b
+	}(PermissionSecret)
 
 	tsInt, err := strconv.ParseInt(knownTimestamp, 16, 0)
 	if err != nil {
-		t.Fail()
-	}
-	if knownSignedLocator != SignLocator(knownLocator, knownToken, time.Unix(tsInt, 0)) {
-		t.Fail()
+		t.Fatal(err)
 	}
-}
+	t0 := time.Unix(tsInt, 0)
 
-func TestVerifySignature(t *testing.T) {
 	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
-
-	if VerifySignature(knownSignedLocator, knownToken) != nil {
-		t.Fail()
-	}
-}
-
-func TestVerifySignatureExtraHints(t *testing.T) {
-	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
-
-	if VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint, knownToken) != nil {
-		t.Fatal("Verify cannot handle hint before permission signature")
+	if x := SignLocator(knownLocator, knownToken, t0); x != knownSignedLocator {
+		t.Fatalf("Got %+q, expected %+q", x, knownSignedLocator)
 	}
 
-	if VerifySignature(knownLocator+knownSigHint+"+Zfoo", knownToken) != nil {
-		t.Fatal("Verify cannot handle hint after permission signature")
-	}
-
-	if VerifySignature(knownLocator+"+K@xyzzy"+knownSigHint+"+Zfoo", knownToken) != nil {
-		t.Fatal("Verify cannot handle hints around permission signature")
+	PermissionSecret = []byte("arbitrarykey")
+	if x := SignLocator(knownLocator, knownToken, t0); x == knownSignedLocator {
+		t.Fatalf("Got same signature %+q, even though PermissionSecret changed", x)
 	}
 }
 
-// The size hint on the locator string should not affect signature validation.
-func TestVerifySignatureWrongSize(t *testing.T) {
-	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
-
-	if VerifySignature(knownHash+"+999999"+knownSigHint, knownToken) != nil {
-		t.Fatal("Verify cannot handle incorrect size hint")
-	}
+func TestVerifyLocator(t *testing.T) {
+	defer func(b []byte) {
+		PermissionSecret = b
+	}(PermissionSecret)
 
-	if VerifySignature(knownHash+knownSigHint, knownToken) != nil {
-		t.Fatal("Verify cannot handle missing size hint")
-	}
-}
-
-func TestVerifySignatureBadSig(t *testing.T) {
 	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
-
-	badLocator := knownLocator + "+Aaaaaaaaaaaaaaaa@" + knownTimestamp
-	if VerifySignature(badLocator, knownToken) != PermissionError {
-		t.Fail()
+	if err := VerifySignature(knownSignedLocator, knownToken); err != nil {
+		t.Fatal(err)
 	}
-}
-
-func TestVerifySignatureBadTimestamp(t *testing.T) {
-	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
-
-	badLocator := knownLocator + "+A" + knownSignature + "@OOOOOOOl"
-	if VerifySignature(badLocator, knownToken) != PermissionError {
-		t.Fail()
-	}
-}
-
-func TestVerifySignatureBadSecret(t *testing.T) {
-	PermissionSecret = []byte("00000000000000000000")
-	defer func() { PermissionSecret = nil }()
-
-	if VerifySignature(knownSignedLocator, knownToken) != PermissionError {
-		t.Fail()
-	}
-}
-
-func TestVerifySignatureBadToken(t *testing.T) {
-	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
-
-	if VerifySignature(knownSignedLocator, "00000000") != PermissionError {
-		t.Fail()
-	}
-}
-
-func TestVerifySignatureExpired(t *testing.T) {
-	PermissionSecret = []byte(knownKey)
-	defer func() { PermissionSecret = nil }()
 
-	yesterday := time.Now().AddDate(0, 0, -1)
-	expiredLocator := SignLocator(knownHash, knownToken, yesterday)
-	if VerifySignature(expiredLocator, knownToken) != ExpiredError {
-		t.Fail()
+	PermissionSecret = []byte("arbitrarykey")
+	if err := VerifySignature(knownSignedLocator, knownToken); err == nil {
+		t.Fatal("Verified signature even with wrong PermissionSecret")
 	}
 }