X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f39807a3c5dd32520bebd4fcd5254f214351eb4f..8a27fe370239ecb8e50d53f46b45ed61203a35ca:/services/keepstore/perms_test.go diff --git a/services/keepstore/perms_test.go b/services/keepstore/perms_test.go index a2aa725ef8..1322374706 100644 --- a/services/keepstore/perms_test.go +++ b/services/keepstore/perms_test.go @@ -1,123 +1,63 @@ -package main +// Copyright (C) The Arvados Authors. All rights reserved. +// +// SPDX-License-Identifier: AGPL-3.0 + +package keepstore import ( - "testing" + "strconv" "time" + + "git.arvados.org/arvados.git/sdk/go/arvados" + check "gopkg.in/check.v1" ) -var ( - known_hash = "acbd18db4cc2f85cedef654fccc4a4d8" - known_locator = known_hash + "+3" - known_token = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk" - known_key = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" + +const ( + knownHash = "acbd18db4cc2f85cedef654fccc4a4d8" + knownLocator = knownHash + "+3" + knownToken = "hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk" + knownKey = "13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk" + "p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc" + "ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4" + "jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y" + "gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6" + "vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei" + "786u5rw2a9gx743dj3fgq2irk" - known_signature = "257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a" - known_timestamp = "7fffffff" - known_signed_locator = known_locator + "+A" + known_signature + "@" + known_timestamp + knownSignatureTTL = arvados.Duration(24 * 14 * time.Hour) + knownSignature = "89118b78732c33104a4d6231e8b5a5fa1e4301e3" + knownTimestamp = "7fffffff" + knownSigHint = "+A" + knownSignature + "@" + knownTimestamp + knownSignedLocator = knownLocator + knownSigHint ) -func TestSignLocator(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - if ts, err := ParseHexTimestamp(known_timestamp); err != nil { - t.Errorf("bad known_timestamp %s", known_timestamp) - } else { - if known_signed_locator != SignLocator(known_locator, known_token, ts) { - t.Fail() - } - } -} - -func TestVerifySignature(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - if !VerifySignature(known_signed_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureExtraHints(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - sig_stuff := "+A" + known_signature + "@" + known_timestamp - - if !VerifySignature(known_locator + "+K@xyzzy" + sig_stuff, known_token) { - t.Fatal("Verify cannot handle hint before permission signature") +func (s *HandlerSuite) TestSignLocator(c *check.C) { + tsInt, err := strconv.ParseInt(knownTimestamp, 16, 0) + if err != nil { + c.Fatal(err) } + t0 := time.Unix(tsInt, 0) - if !VerifySignature(known_locator + sig_stuff + "+Zfoo", known_token) { - t.Fatal("Verify cannot handle hint after permission signature") + s.cluster.Collections.BlobSigningTTL = knownSignatureTTL + s.cluster.Collections.BlobSigningKey = knownKey + if x := SignLocator(s.cluster, knownLocator, knownToken, t0); x != knownSignedLocator { + c.Fatalf("Got %+q, expected %+q", x, knownSignedLocator) } - if !VerifySignature(known_locator + "+K@xyzzy" + sig_stuff + "+Zfoo", known_token) { - t.Fatal("Verify cannot handle hints around permission signature") + s.cluster.Collections.BlobSigningKey = "arbitrarykey" + if x := SignLocator(s.cluster, knownLocator, knownToken, t0); x == knownSignedLocator { + c.Fatalf("Got same signature %+q, even though blobSigningKey changed", x) } } -// The size hint on the locator string should not affect signature validation. -func TestVerifySignatureWrongSize(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - signed_locator_wrong_size := known_hash + "+999999+A" + known_signature + "@" + known_timestamp - if !VerifySignature(signed_locator_wrong_size, known_token) { - t.Fail() +func (s *HandlerSuite) TestVerifyLocator(c *check.C) { + s.cluster.Collections.BlobSigningTTL = knownSignatureTTL + s.cluster.Collections.BlobSigningKey = knownKey + if err := VerifySignature(s.cluster, knownSignedLocator, knownToken); err != nil { + c.Fatal(err) } -} - -func TestVerifySignatureBadSig(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - bad_locator := known_locator + "+Aaaaaaaaaaaaaaaa@" + known_timestamp - if VerifySignature(bad_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureBadTimestamp(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - bad_locator := known_locator + "+A" + known_signature + "@00000000" - if VerifySignature(bad_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureBadSecret(t *testing.T) { - PermissionSecret = []byte("00000000000000000000") - defer func() { PermissionSecret = nil }() - - if VerifySignature(known_signed_locator, known_token) { - t.Fail() - } -} - -func TestVerifySignatureBadToken(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - - if VerifySignature(known_signed_locator, "00000000") { - t.Fail() - } -} - -func TestVerifySignatureExpired(t *testing.T) { - PermissionSecret = []byte(known_key) - defer func() { PermissionSecret = nil }() - yesterday := time.Now().AddDate(0, 0, -1) - expired_locator := SignLocator(known_hash, known_token, yesterday) - if VerifySignature(expired_locator, known_token) { - t.Fail() + s.cluster.Collections.BlobSigningKey = "arbitrarykey" + if err := VerifySignature(s.cluster, knownSignedLocator, knownToken); err == nil { + c.Fatal("Verified signature even with wrong blobSigningKey") } }