Add test cases that produce predictable signatures with fixed expiry times.

diff --git a/services/api/app/models/blob.rb b/services/api/app/models/blob.rb
index 11fab9fb59b6c0369c0519d9553e798665ae8933..5decd77261a44bdc0ec4145cf5b3fce80aa7cb2b 100644 (file)
--- a/services/api/app/models/blob.rb
+++ b/services/api/app/models/blob.rb
@@ -21,21 +21,30 @@ class Blob
   # The 'opts' argument should include:
   #   [required] :key       - the Arvados server-side blobstore key
   #   [required] :api_token - user's API token
-  #   [optional] :ttl       - number of seconds before this request expires
+  #   [optional] :ttl       - number of seconds before signature should expire
+  #   [optional] :expire    - unix timestamp when signature should expire
   #
   def self.sign_locator blob_locator, opts
     # We only use the hash portion for signatures.
     blob_hash = blob_locator.split('+').first
 
-    # Generate an expiry timestamp (seconds since epoch, base 16)
-    timestamp = (Time.now.to_i + (opts[:ttl] || 600)).to_s(16)
+    # Generate an expiry timestamp (seconds after epoch, base 16)
+    if opts[:expire]
+      if opts[:ttl]
+        raise "Cannot specify both :ttl and :expire options"
+      end
+      timestamp = opts[:expire]
+    else
+      timestamp = Time.now.to_i + (opts[:ttl] || 600)
+    end
+    timestamp_hex = timestamp.to_s(16)
     # => "53163cb4"
 
     # Generate a signature.
     signature =
-      generate_signature opts[:key], blob_hash, opts[:api_token], timestamp
+      generate_signature opts[:key], blob_hash, opts[:api_token], timestamp_hex
 
-    blob_locator + '+A' + signature + '@' + timestamp
+    blob_locator + '+A' + signature + '@' + timestamp_hex
   end
 
   # Blob.verify_signature

diff --git a/services/api/test/unit/blob_test.rb b/services/api/test/unit/blob_test.rb
index ec6e67a168f6ee176e007977f761790611b60cf5..0794a751e097bb7b42317529177085e5572a3810 100644 (file)
--- a/services/api/test/unit/blob_test.rb
+++ b/services/api/test/unit/blob_test.rb
@@ -7,6 +7,33 @@ class BlobTest < ActiveSupport::TestCase
   @@blob_locator = Digest::MD5.hexdigest(@@blob_data) +
     '+' + @@blob_data.size.to_s
 
+  @@known_locator = 'acbd18db4cc2f85cedef654fccc4a4d8+3'
+  @@known_token = 'hocfupkn2pjhrpgp2vxv8rsku7tvtx49arbc9s4bvu7p7wxqvk'
+  @@known_key = '13u9fkuccnboeewr0ne3mvapk28epf68a3bhj9q8sb4l6e4e5mkk' +
+    'p6nhj2mmpscgu1zze5h5enydxfe3j215024u16ij4hjaiqs5u4pzsl3nczmaoxnc' +
+    'ljkm4875xqn4xv058koz3vkptmzhyheiy6wzevzjmdvxhvcqsvr5abhl15c2d4o4' +
+    'jhl0s91lojy1mtrzqqvprqcverls0xvy9vai9t1l1lvvazpuadafm71jl4mrwq2y' +
+    'gokee3eamvjy8qq1fvy238838enjmy5wzy2md7yvsitp5vztft6j4q866efym7e6' +
+    'vu5wm9fpnwjyxfldw3vbo01mgjs75rgo7qioh8z8ij7jpyp8508okhgbbex3ceei' +
+    '786u5rw2a9gx743dj3fgq2irk'
+  @@known_signed_locator = 'acbd18db4cc2f85cedef654fccc4a4d8+3' +
+    '+A257f3f5f5f0a4e4626a18fc74bd42ec34dcb228a@7fffffff'
+
+  test 'generate predictable invincible signature' do
+    signed = Blob.sign_locator @@known_locator, {
+      api_token: @@known_token,
+      key: @@known_key,
+      expire: 0x7fffffff,
+    }
+    assert_equal @@known_signed_locator, signed
+  end
+
+  test 'verify predictable invincible signature' do
+    assert_equal true, Blob.verify_signature!(@@known_signed_locator,
+                                              api_token: @@known_token,
+                                              key: @@known_key)
+  end
+
   test 'correct' do
     signed = Blob.sign_locator @@blob_locator, api_token: @@api_token, key: @@key
     assert_equal true, Blob.verify_signature!(signed, api_token: @@api_token, key: @@key)