X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/740d71d2b7a797bb2dd2e1e427c12e84c86b9ce6..6b30f7c9a223cc1d22974085f6df7aa62393cc55:/services/keepstore/perms_test.go diff --git a/services/keepstore/perms_test.go b/services/keepstore/perms_test.go index d1c6b50496..8e47e4a442 100644 --- a/services/keepstore/perms_test.go +++ b/services/keepstore/perms_test.go @@ -1,104 +1,69 @@ package main import ( + "strconv" "testing" "time" + + "git.curoverse.com/arvados.git/sdk/go/arvados" ) -var ( - known_hash = "acbd18db4cc2f85cedef654fccc4a4d8" - known_locator = known_hash + "+3" - known_token = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk" - known_key = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" + +const ( + knownHash = "acbd18db4cc2f85cedef654fccc4a4d8" + knownLocator = knownHash + "+3" + knownToken = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk" + knownKey = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" + "p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc" + "ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4" + "jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y" + "gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6" + "vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei" + "786u5rw2a9gx743dj3fgq2irk" - known_signature = "257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a" - known_timestamp = "7fffffff" - known_signed_locator = known_locator + "+A" + known_signature + "@" + known_timestamp + knownSignatureTTL = arvados.Duration(24 * 14 * time.Hour) + knownSignature = "89118b78732c33104a4d6231e8b5a5fa1e4301e3" + knownTimestamp = "7fffffff" + knownSigHint = "+A" + knownSignature + "@" + knownTimestamp + knownSignedLocator = knownLocator + knownSigHint ) func TestSignLocator(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() + defer func(b []byte) { + theConfig.blobSigningKey = b + }(theConfig.blobSigningKey) - if ts, err := ParseHexTimestamp(known_timestamp); err != nil { - t.Errorf("bad known_timestamp %s", known_timestamp) - } else { - if known_signed_locator != SignLocator(known_locator, known_token, ts) { - t.Fail() - } + tsInt, err := strconv.ParseInt(knownTimestamp, 16, 0) + if err != nil { + t.Fatal(err) } -} + t0 := time.Unix(tsInt, 0) -func TestVerifySignature(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() + theConfig.BlobSignatureTTL = knownSignatureTTL - if !VerifySignature(known_signed_locator, known_token) { - t.Fail() + theConfig.blobSigningKey = []byte(knownKey) + if x := SignLocator(knownLocator, knownToken, t0); x != knownSignedLocator { + t.Fatalf("Got %+q, expected %+q", x, knownSignedLocator) } -} -// The size hint on the locator string should not affect signature validation. -func TestVerifySignatureWrongSize(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - signed_locator_wrong_size := known_hash + "+999999+A" + known_signature + "@" + known_timestamp - if !VerifySignature(signed_locator_wrong_size, known_token) { - t.Fail() + theConfig.blobSigningKey = []byte("arbitrarykey") + if x := SignLocator(knownLocator, knownToken, t0); x == knownSignedLocator { + t.Fatalf("Got same signature %+q, even though blobSigningKey changed", x) } } -func TestVerifySignatureBadSig(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() +func TestVerifyLocator(t *testing.T) { + defer func(b []byte) { + theConfig.blobSigningKey = b + }(theConfig.blobSigningKey) - bad_locator := known_locator + "+Aaaaaaaaaaaaaaaa@" + known_timestamp - if VerifySignature(bad_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureBadTimestamp(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() + theConfig.BlobSignatureTTL = knownSignatureTTL - bad_locator := known_locator + "+A" + known_signature + "@00000000" - if VerifySignature(bad_locator, known_token) { - t.Fail() + theConfig.blobSigningKey = []byte(knownKey) + if err := VerifySignature(knownSignedLocator, knownToken); err != nil { + t.Fatal(err) } -} - -func TestVerifySignatureBadSecret(t *testing.T) { - PermissionSecret = []byte("00000000000000000000") - defer func() { PermissionSecret = nil }() - - if VerifySignature(known_signed_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureBadToken(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - if VerifySignature(known_signed_locator, "00000000") { - t.Fail() - } -} - -func TestVerifySignatureExpired(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - yesterday := time.Now().AddDate(0, 0, -1) - expired_locator := SignLocator(known_hash, known_token, yesterday) - if VerifySignature(expired_locator, known_token) { - t.Fail() + theConfig.blobSigningKey = []byte("arbitrarykey") + if err := VerifySignature(knownSignedLocator, knownToken); err == nil { + t.Fatal("Verified signature even with wrong blobSigningKey") } }