X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c59093180fd92f0d7c6607a49458446212ebd058..2b152757ce494145c10971c36754c473d21dfcc7:/services/keepstore/perms_test.go diff --git a/services/keepstore/perms_test.go b/services/keepstore/perms_test.go index 7367dbf0ad..43717b2372 100644 --- a/services/keepstore/perms_test.go +++ b/services/keepstore/perms_test.go @@ -1,125 +1,67 @@ package main import ( + "strconv" "testing" "time" ) const ( - known_hash = "acbd18db4cc2f85cedef654fccc4a4d8" - known_locator = known_hash + "+3" - known_token = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk" - known_key = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" + + knownHash = "acbd18db4cc2f85cedef654fccc4a4d8" + knownLocator = knownHash + "+3" + knownToken = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk" + knownKey = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" + "p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc" + "ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4" + "jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y" + "gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6" + "vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei" + "786u5rw2a9gx743dj3fgq2irk" - known_signature = "257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a" - known_timestamp = "7fffffff" - known_sig_hint = "+A" + known_signature + "@" + known_timestamp - known_signed_locator = known_locator + known_sig_hint + knownSignatureTTL = 1209600 * time.Second + knownSignature = "89118b78732c33104a4d6231e8b5a5fa1e4301e3" + knownTimestamp = "7fffffff" + knownSigHint = "+A" + knownSignature + "@" + knownTimestamp + knownSignedLocator = knownLocator + knownSigHint ) func TestSignLocator(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() + defer func(b []byte) { + PermissionSecret = b + }(PermissionSecret) - if ts, err := ParseHexTimestamp(known_timestamp); err != nil { - t.Errorf("bad known_timestamp %s", known_timestamp) - } else { - if known_signed_locator != SignLocator(known_locator, known_token, ts) { - t.Fail() - } + tsInt, err := strconv.ParseInt(knownTimestamp, 16, 0) + if err != nil { + t.Fatal(err) } -} - -func TestVerifySignature(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - if !VerifySignature(known_signed_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureExtraHints(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - if !VerifySignature(known_locator+"+K@xyzzy"+known_sig_hint, known_token) { - t.Fatal("Verify cannot handle hint before permission signature") - } - - if !VerifySignature(known_locator+known_sig_hint+"+Zfoo", known_token) { - t.Fatal("Verify cannot handle hint after permission signature") - } - - if !VerifySignature(known_locator+"+K@xyzzy"+known_sig_hint+"+Zfoo", known_token) { - t.Fatal("Verify cannot handle hints around permission signature") - } -} + t0 := time.Unix(tsInt, 0) -// The size hint on the locator string should not affect signature validation. -func TestVerifySignatureWrongSize(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() + blobSignatureTTL = knownSignatureTTL - if !VerifySignature(known_hash+"+999999"+known_sig_hint, known_token) { - t.Fatal("Verify cannot handle incorrect size hint") + PermissionSecret = []byte(knownKey) + if x := SignLocator(knownLocator, knownToken, t0); x != knownSignedLocator { + t.Fatalf("Got %+q, expected %+q", x, knownSignedLocator) } - if !VerifySignature(known_hash+known_sig_hint, known_token) { - t.Fatal("Verify cannot handle missing size hint") + PermissionSecret = []byte("arbitrarykey") + if x := SignLocator(knownLocator, knownToken, t0); x == knownSignedLocator { + t.Fatalf("Got same signature %+q, even though PermissionSecret changed", x) } } -func TestVerifySignatureBadSig(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() +func TestVerifyLocator(t *testing.T) { + defer func(b []byte) { + PermissionSecret = b + }(PermissionSecret) - bad_locator := known_locator + "+Aaaaaaaaaaaaaaaa@" + known_timestamp - if VerifySignature(bad_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureBadTimestamp(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - bad_locator := known_locator + "+A" + known_signature + "@00000000" - if VerifySignature(bad_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureBadSecret(t *testing.T) { - PermissionSecret = []byte("00000000000000000000") - defer func() { PermissionSecret = nil }() + blobSignatureTTL = knownSignatureTTL - if VerifySignature(known_signed_locator, known_token) { - t.Fail() + PermissionSecret = []byte(knownKey) + if err := VerifySignature(knownSignedLocator, knownToken); err != nil { + t.Fatal(err) } -} - -func TestVerifySignatureBadToken(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - if VerifySignature(known_signed_locator, "00000000") { - t.Fail() - } -} - -func TestVerifySignatureExpired(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - yesterday := time.Now().AddDate(0, 0, -1) - expired_locator := SignLocator(known_hash, known_token, yesterday) - if VerifySignature(expired_locator, known_token) { - t.Fail() + PermissionSecret = []byte("arbitrarykey") + if err := VerifySignature(knownSignedLocator, knownToken); err == nil { + t.Fatal("Verified signature even with wrong PermissionSecret") } }