X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a3222e35cda68c8e48a17921c33ac37ecb5c3bac..241f0bcdacbf83b587bff9ff45985e720bde9f0b:/services/keepstore/perms_test.go diff --git a/services/keepstore/perms_test.go b/services/keepstore/perms_test.go index d1c6b50496..e43cb8dcd9 100644 --- a/services/keepstore/perms_test.go +++ b/services/keepstore/perms_test.go @@ -5,7 +5,7 @@ import ( "time" ) -var ( +const ( known_hash = "acbd18db4cc2f85cedef654fccc4a4d8" known_locator = known_hash + "+3" known_token = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk" @@ -18,7 +18,8 @@ var ( "786u5rw2a9gx743dj3fgq2irk" known_signature = "257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a" known_timestamp = "7fffffff" - known_signed_locator = known_locator + "+A" + known_signature + "@" + known_timestamp + known_sig_hint = "+A" + known_signature + "@" + known_timestamp + known_signed_locator = known_locator + known_sig_hint ) func TestSignLocator(t *testing.T) { @@ -38,19 +39,39 @@ func TestVerifySignature(t *testing.T) { PermissionSecret = []byte(known_key) defer func() { PermissionSecret = nil }() - if !VerifySignature(known_signed_locator, known_token) { + if VerifySignature(known_signed_locator, known_token) != nil { t.Fail() } } +func TestVerifySignatureExtraHints(t *testing.T) { + PermissionSecret = []byte(known_key) + defer func() { PermissionSecret = nil }() + + if VerifySignature(known_locator+"+K@xyzzy"+known_sig_hint, known_token) != nil { + t.Fatal("Verify cannot handle hint before permission signature") + } + + if VerifySignature(known_locator+known_sig_hint+"+Zfoo", known_token) != nil { + t.Fatal("Verify cannot handle hint after permission signature") + } + + if VerifySignature(known_locator+"+K@xyzzy"+known_sig_hint+"+Zfoo", known_token) != nil { + t.Fatal("Verify cannot handle hints around permission signature") + } +} + // The size hint on the locator string should not affect signature validation. func TestVerifySignatureWrongSize(t *testing.T) { PermissionSecret = []byte(known_key) defer func() { PermissionSecret = nil }() - signed_locator_wrong_size := known_hash + "+999999+A" + known_signature + "@" + known_timestamp - if !VerifySignature(signed_locator_wrong_size, known_token) { - t.Fail() + if VerifySignature(known_hash+"+999999"+known_sig_hint, known_token) != nil { + t.Fatal("Verify cannot handle incorrect size hint") + } + + if VerifySignature(known_hash+known_sig_hint, known_token) != nil { + t.Fatal("Verify cannot handle missing size hint") } } @@ -59,7 +80,7 @@ func TestVerifySignatureBadSig(t *testing.T) { defer func() { PermissionSecret = nil }() bad_locator := known_locator + "+Aaaaaaaaaaaaaaaa@" + known_timestamp - if VerifySignature(bad_locator, known_token) { + if VerifySignature(bad_locator, known_token) != PermissionError { t.Fail() } } @@ -68,8 +89,8 @@ func TestVerifySignatureBadTimestamp(t *testing.T) { PermissionSecret = []byte(known_key) defer func() { PermissionSecret = nil }() - bad_locator := known_locator + "+A" + known_signature + "@00000000" - if VerifySignature(bad_locator, known_token) { + bad_locator := known_locator + "+A" + known_signature + "@OOOOOOOl" + if VerifySignature(bad_locator, known_token) != PermissionError { t.Fail() } } @@ -78,7 +99,7 @@ func TestVerifySignatureBadSecret(t *testing.T) { PermissionSecret = []byte("00000000000000000000") defer func() { PermissionSecret = nil }() - if VerifySignature(known_signed_locator, known_token) { + if VerifySignature(known_signed_locator, known_token) != PermissionError { t.Fail() } } @@ -87,7 +108,7 @@ func TestVerifySignatureBadToken(t *testing.T) { PermissionSecret = []byte(known_key) defer func() { PermissionSecret = nil }() - if VerifySignature(known_signed_locator, "00000000") { + if VerifySignature(known_signed_locator, "00000000") != PermissionError { t.Fail() } } @@ -98,7 +119,7 @@ func TestVerifySignatureExpired(t *testing.T) { yesterday := time.Now().AddDate(0, 0, -1) expired_locator := SignLocator(known_hash, known_token, yesterday) - if VerifySignature(expired_locator, known_token) { + if VerifySignature(expired_locator, known_token) != ExpiredError { t.Fail() } }