)
var (
- ErrSignatureExpired = errors.New("Signature expired")
- ErrSignatureInvalid = errors.New("Invalid signature")
- ErrSignatureMalformed = errors.New("Malformed signature")
- ErrSignatureMissing = errors.New("Missing signature")
+ // ErrSignatureExpired - a signature was rejected because the
+ // expiry time has passed.
+ ErrSignatureExpired = errors.New("Signature expired")
+ // ErrSignatureInvalid - a signature was rejected because it
+ // was badly formatted or did not match the given secret key.
+ ErrSignatureInvalid = errors.New("Invalid signature")
+ // ErrSignatureMissing - the given locator does not have a
+ // signature hint.
+ ErrSignatureMissing = errors.New("Missing signature")
)
// makePermSignature generates a SHA-1 HMAC digest for the given blob,
// VerifySignature returns nil if the signature on the signedLocator
// can be verified using the given apiToken. Otherwise it returns
-// either ExpiredError (if the timestamp has expired, which is
-// something the client could have figured out independently) or
-// PermissionError.
+// ErrSignatureExpired (if the signature's expiry time has passed,
+// which is something the client could have figured out
+// independently), ErrSignatureMissing (if there is no signature hint
+// at all), or ErrSignatureInvalid (if the signature is present but
+// badly formatted or incorrect).
//
// This function is intended to be used by system components and admin
// utilities: userland programs do not know the permissionSecret.
sigHex := matches[2]
expHex := matches[3]
if expTime, err := parseHexTimestamp(expHex); err != nil {
- return ErrSignatureMalformed
+ return ErrSignatureInvalid
} else if expTime.Before(time.Now()) {
return ErrSignatureExpired
}
func TestVerifySignatureBadSig(t *testing.T) {
badLocator := knownLocator + "+Aaaaaaaaaaaaaaaa@" + knownTimestamp
- if VerifySignature(badLocator, knownToken, []byte(knownKey)) != PermissionError {
+ if VerifySignature(badLocator, knownToken, []byte(knownKey)) != ErrSignatureMissing {
t.Fail()
}
}
func TestVerifySignatureBadTimestamp(t *testing.T) {
badLocator := knownLocator + "+A" + knownSignature + "@OOOOOOOl"
- if VerifySignature(badLocator, knownToken, []byte(knownKey)) != PermissionError {
+ if VerifySignature(badLocator, knownToken, []byte(knownKey)) != ErrSignatureMissing {
t.Fail()
}
}
func TestVerifySignatureBadSecret(t *testing.T) {
- if VerifySignature(knownSignedLocator, knownToken, []byte("00000000000000000000")) != PermissionError {
+ if VerifySignature(knownSignedLocator, knownToken, []byte("00000000000000000000")) != ErrSignatureInvalid {
t.Fail()
}
}
func TestVerifySignatureBadToken(t *testing.T) {
- if VerifySignature(knownSignedLocator, "00000000", []byte(knownKey)) != PermissionError {
+ if VerifySignature(knownSignedLocator, "00000000", []byte(knownKey)) != ErrSignatureInvalid {
t.Fail()
}
}
func TestVerifySignatureExpired(t *testing.T) {
yesterday := time.Now().AddDate(0, 0, -1)
expiredLocator := SignLocator(knownHash, knownToken, yesterday, []byte(knownKey))
- if VerifySignature(expiredLocator, knownToken, []byte(knownKey)) != ExpiredError {
+ if VerifySignature(expiredLocator, knownToken, []byte(knownKey)) != ErrSignatureExpired {
t.Fail()
}
}
// Check that PutBlock returns the expected error when the hash does
// not match the block.
if _, err := PutBlock(BadBlock, TestHash); err != RequestHashError {
- t.Error("Expected RequestHashError, got %v", err)
+ t.Errorf("Expected RequestHashError, got %v", err)
}
// Confirm that GetBlock fails to return anything.
projects / arvados.git / commitdiff