storj/pkg/peertls/tlsopts/tls_test.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package tlsopts_test

import (
	"crypto/x509"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"storj.io/storj/internal/testcontext"
	"storj.io/storj/internal/testidentity"
	"storj.io/storj/internal/testpeertls"
	"storj.io/storj/internal/testplanet"
	"storj.io/storj/pkg/identity"
	"storj.io/storj/pkg/peertls"
	"storj.io/storj/pkg/peertls/extensions"
	"storj.io/storj/pkg/peertls/tlsopts"
	"storj.io/storj/pkg/storj"
	"storj.io/storj/storage"
)

func TestVerifyIdentity_success(t *testing.T) {
	for i := 0; i < 50; i++ {
		ident, err := testplanet.PregeneratedIdentity(i)
		require.NoError(t, err)

		err = tlsopts.VerifyIdentity(ident.ID)(nil, identity.ToChains(ident.Chain()))
		assert.NoError(t, err)
	}
}

func TestVerifyIdentity_success_signed(t *testing.T) {
	for i := 0; i < 50; i++ {
		ident, err := testplanet.PregeneratedSignedIdentity(i)
		require.NoError(t, err)

		err = tlsopts.VerifyIdentity(ident.ID)(nil, identity.ToChains(ident.Chain()))
		assert.NoError(t, err)
	}
}

func TestVerifyIdentity_error(t *testing.T) {
	ident, err := testplanet.PregeneratedIdentity(0)
	require.NoError(t, err)

	identTheftVictim, err := testplanet.PregeneratedIdentity(1)
	require.NoError(t, err)

	cases := []struct {
		test   string
		nodeID storj.NodeID
	}{
		{"empty node ID", storj.NodeID{}},
		{"garbage node ID", storj.NodeID{0, 1, 2, 3}},
		{"wrong node ID", identTheftVictim.ID},
	}

	for _, c := range cases {
		t.Run(c.test, func(t *testing.T) {
			err := tlsopts.VerifyIdentity(c.nodeID)(nil, identity.ToChains(ident.Chain()))
			assert.Error(t, err)
		})
	}
}

func TestExtensionMap_HandleExtensions(t *testing.T) {
	ctx := testcontext.New(t)
	defer ctx.Cleanup()

	keys, originalChain, err := testpeertls.NewCertChain(2)
	assert.NoError(t, err)

	rev := new(extensions.Revocation)

	// TODO: `keys[peertls.CAIndex]`
	oldRevokedLeafChain, revocationExt, err := testpeertls.RevokeLeaf(keys[0], originalChain)
	require.NoError(t, err)
	err = rev.Unmarshal(revocationExt.Value)
	require.NoError(t, err)
	err = rev.Verify(oldRevokedLeafChain[peertls.CAIndex])
	require.NoError(t, err)

	// NB: node ID is the same, timestamp must change
	// (see: identity.RevocationDB#Put)
	time.Sleep(1 * time.Second)
	// TODO: `keys[peertls.CAIndex]`
	newRevokedLeafChain, revocationExt, err := testpeertls.RevokeLeaf(keys[0], oldRevokedLeafChain)
	require.NoError(t, err)
	err = rev.Unmarshal(revocationExt.Value)
	require.NoError(t, err)
	err = rev.Verify(newRevokedLeafChain[peertls.CAIndex])
	require.NoError(t, err)

	testidentity.RevocationDBsTest(t, func(t *testing.T, revDB extensions.RevocationDB, db storage.KeyValueStore) {
		opts := &extensions.Options{
			RevDB: revDB,
		}

		testcases := []struct {
			name  string
			chain []*x509.Certificate
		}{
			{"no extensions", originalChain},
			{"leaf revocation", oldRevokedLeafChain},
			{"double leaf revocation", newRevokedLeafChain},
			// TODO: more and more diverse extensions in cases
		}

		{
			handlerFuncMap := extensions.AllHandlers.WithOptions(opts)
			for _, testcase := range testcases {
				t.Log(testcase.name)
				extensionsMap := tlsopts.NewExtensionsMap(testcase.chain...)
				err := extensionsMap.HandleExtensions(handlerFuncMap, identity.ToChains(testcase.chain))
				assert.NoError(t, err)
			}
		}
	})
}

func TestExtensionMap_HandleExtensions_error(t *testing.T) {
	ctx := testcontext.New(t)
	defer ctx.Cleanup()

	testidentity.RevocationDBsTest(t, func(t *testing.T, revDB extensions.RevocationDB, db storage.KeyValueStore) {
		keys, chain, oldRevocation, err := testpeertls.NewRevokedLeafChain()
		assert.NoError(t, err)

		// NB: node ID is the same, timestamp must change
		// (see: identity.RevocationDB#Put)
		time.Sleep(time.Second)
		_, newRevocation, err := testpeertls.RevokeLeaf(keys[0], chain)
		require.NoError(t, err)

		assert.NotEqual(t, oldRevocation, newRevocation)

		err = revDB.Put(chain, newRevocation)
		assert.NoError(t, err)

		opts := &extensions.Options{RevDB: revDB}
		handlerFuncMap := extensions.HandlerFactories{
			extensions.RevocationUpdateHandler,
		}.WithOptions(opts)
		extensionsMap := tlsopts.NewExtensionsMap(chain[peertls.LeafIndex])

		assert.Equal(t, oldRevocation, extensionsMap[extensions.RevocationExtID.String()])

		err = extensionsMap.HandleExtensions(handlerFuncMap, identity.ToChains(chain))
		assert.Errorf(t, err, extensions.ErrRevocationTimestamp.Error())
	})
}
[V3-1320] fix empty node ID verification non-error (#1395) * small identity refactor: + Optimize? iterative cert chain methods to use array instead of slice + Add `ToChain` helper for converting 1d to 2d cert chain TODO: replace literal declarations with this + rename `ChainRaw/RestChainRaw` to `RawChain/RawRestChain` (adjective noun, instead of nound adjective) * add regression tests for V3-1320 * fix V3-1320 * separate `DialUnverifiedIDOption` from `DialOption` * separate `PingNode` and `DialNode` from `PingAddress` and `DialAddress` * update node ID while bootstrapping * goimports & fix comment * add test case 2019-03-04 20:03:33 +00:00			`// Copyright (C) 2019 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package tlsopts_test`

			`import (`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`"crypto/x509"`
[V3-1320] fix empty node ID verification non-error (#1395) * small identity refactor: + Optimize? iterative cert chain methods to use array instead of slice + Add `ToChain` helper for converting 1d to 2d cert chain TODO: replace literal declarations with this + rename `ChainRaw/RestChainRaw` to `RawChain/RawRestChain` (adjective noun, instead of nound adjective) * add regression tests for V3-1320 * fix V3-1320 * separate `DialUnverifiedIDOption` from `DialOption` * separate `PingNode` and `DialNode` from `PingAddress` and `DialAddress` * update node ID while bootstrapping * goimports & fix comment * add test case 2019-03-04 20:03:33 +00:00			`"testing"`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`"time"`
[V3-1320] fix empty node ID verification non-error (#1395) * small identity refactor: + Optimize? iterative cert chain methods to use array instead of slice + Add `ToChain` helper for converting 1d to 2d cert chain TODO: replace literal declarations with this + rename `ChainRaw/RestChainRaw` to `RawChain/RawRestChain` (adjective noun, instead of nound adjective) * add regression tests for V3-1320 * fix V3-1320 * separate `DialUnverifiedIDOption` from `DialOption` * separate `PingNode` and `DialNode` from `PingAddress` and `DialAddress` * update node ID while bootstrapping * goimports & fix comment * add test case 2019-03-04 20:03:33 +00:00
			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`"storj.io/storj/internal/testcontext"`
			`"storj.io/storj/internal/testidentity"`
			`"storj.io/storj/internal/testpeertls"`
[V3-1320] fix empty node ID verification non-error (#1395) * small identity refactor: + Optimize? iterative cert chain methods to use array instead of slice + Add `ToChain` helper for converting 1d to 2d cert chain TODO: replace literal declarations with this + rename `ChainRaw/RestChainRaw` to `RawChain/RawRestChain` (adjective noun, instead of nound adjective) * add regression tests for V3-1320 * fix V3-1320 * separate `DialUnverifiedIDOption` from `DialOption` * separate `PingNode` and `DialNode` from `PingAddress` and `DialAddress` * update node ID while bootstrapping * goimports & fix comment * add test case 2019-03-04 20:03:33 +00:00			`"storj.io/storj/internal/testplanet"`
			`"storj.io/storj/pkg/identity"`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`"storj.io/storj/pkg/peertls"`
			`"storj.io/storj/pkg/peertls/extensions"`
[V3-1320] fix empty node ID verification non-error (#1395) * small identity refactor: + Optimize? iterative cert chain methods to use array instead of slice + Add `ToChain` helper for converting 1d to 2d cert chain TODO: replace literal declarations with this + rename `ChainRaw/RestChainRaw` to `RawChain/RawRestChain` (adjective noun, instead of nound adjective) * add regression tests for V3-1320 * fix V3-1320 * separate `DialUnverifiedIDOption` from `DialOption` * separate `PingNode` and `DialNode` from `PingAddress` and `DialAddress` * update node ID while bootstrapping * goimports & fix comment * add test case 2019-03-04 20:03:33 +00:00			`"storj.io/storj/pkg/peertls/tlsopts"`
			`"storj.io/storj/pkg/storj"`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00			`"storj.io/storj/storage"`
[V3-1320] fix empty node ID verification non-error (#1395) * small identity refactor: + Optimize? iterative cert chain methods to use array instead of slice + Add `ToChain` helper for converting 1d to 2d cert chain TODO: replace literal declarations with this + rename `ChainRaw/RestChainRaw` to `RawChain/RawRestChain` (adjective noun, instead of nound adjective) * add regression tests for V3-1320 * fix V3-1320 * separate `DialUnverifiedIDOption` from `DialOption` * separate `PingNode` and `DialNode` from `PingAddress` and `DialAddress` * update node ID while bootstrapping * goimports & fix comment * add test case 2019-03-04 20:03:33 +00:00			`)`

			`func TestVerifyIdentity_success(t *testing.T) {`
			`for i := 0; i < 50; i++ {`
			`ident, err := testplanet.PregeneratedIdentity(i)`
			`require.NoError(t, err)`

			`err = tlsopts.VerifyIdentity(ident.ID)(nil, identity.ToChains(ident.Chain()))`
			`assert.NoError(t, err)`
			`}`
			`}`

			`func TestVerifyIdentity_success_signed(t *testing.T) {`
			`for i := 0; i < 50; i++ {`
			`ident, err := testplanet.PregeneratedSignedIdentity(i)`
			`require.NoError(t, err)`

			`err = tlsopts.VerifyIdentity(ident.ID)(nil, identity.ToChains(ident.Chain()))`
			`assert.NoError(t, err)`
			`}`
			`}`

			`func TestVerifyIdentity_error(t *testing.T) {`
			`ident, err := testplanet.PregeneratedIdentity(0)`
			`require.NoError(t, err)`

			`identTheftVictim, err := testplanet.PregeneratedIdentity(1)`
			`require.NoError(t, err)`

			`cases := []struct {`
			`test string`
			`nodeID storj.NodeID`
			`}{`
			`{"empty node ID", storj.NodeID{}},`
			`{"garbage node ID", storj.NodeID{0, 1, 2, 3}},`
			`{"wrong node ID", identTheftVictim.ID},`
			`}`

			`for _, c := range cases {`
			`t.Run(c.test, func(t *testing.T) {`
			`err := tlsopts.VerifyIdentity(c.nodeID)(nil, identity.ToChains(ident.Chain()))`
			`assert.Error(t, err)`
			`})`
			`}`
			`}`
extension serialization (#1554) 2019-04-03 16:03:53 +01:00
			`func TestExtensionMap_HandleExtensions(t *testing.T) {`
			`ctx := testcontext.New(t)`
			`defer ctx.Cleanup()`

			`keys, originalChain, err := testpeertls.NewCertChain(2)`
			`assert.NoError(t, err)`

			`rev := new(extensions.Revocation)`

			// TODO: `keys[peertls.CAIndex]`
			`oldRevokedLeafChain, revocationExt, err := testpeertls.RevokeLeaf(keys[0], originalChain)`
			`require.NoError(t, err)`
			`err = rev.Unmarshal(revocationExt.Value)`
			`require.NoError(t, err)`
			`err = rev.Verify(oldRevokedLeafChain[peertls.CAIndex])`
			`require.NoError(t, err)`

			`// NB: node ID is the same, timestamp must change`
			`// (see: identity.RevocationDB#Put)`
			`time.Sleep(1 * time.Second)`
			// TODO: `keys[peertls.CAIndex]`
			`newRevokedLeafChain, revocationExt, err := testpeertls.RevokeLeaf(keys[0], oldRevokedLeafChain)`
			`require.NoError(t, err)`
			`err = rev.Unmarshal(revocationExt.Value)`
			`require.NoError(t, err)`
			`err = rev.Verify(newRevokedLeafChain[peertls.CAIndex])`
			`require.NoError(t, err)`

			`testidentity.RevocationDBsTest(t, func(t *testing.T, revDB extensions.RevocationDB, db storage.KeyValueStore) {`
			`opts := &extensions.Options{`
			`RevDB: revDB,`
			`}`

			`testcases := []struct {`
			`name string`
			`chain []*x509.Certificate`
			`}{`
			`{"no extensions", originalChain},`
			`{"leaf revocation", oldRevokedLeafChain},`
			`{"double leaf revocation", newRevokedLeafChain},`
			`// TODO: more and more diverse extensions in cases`
			`}`

			`{`
			`handlerFuncMap := extensions.AllHandlers.WithOptions(opts)`
			`for _, testcase := range testcases {`
			`t.Log(testcase.name)`
			`extensionsMap := tlsopts.NewExtensionsMap(testcase.chain...)`
			`err := extensionsMap.HandleExtensions(handlerFuncMap, identity.ToChains(testcase.chain))`
			`assert.NoError(t, err)`
			`}`
			`}`
			`})`
			`}`

			`func TestExtensionMap_HandleExtensions_error(t *testing.T) {`
			`ctx := testcontext.New(t)`
			`defer ctx.Cleanup()`

			`testidentity.RevocationDBsTest(t, func(t *testing.T, revDB extensions.RevocationDB, db storage.KeyValueStore) {`
			`keys, chain, oldRevocation, err := testpeertls.NewRevokedLeafChain()`
			`assert.NoError(t, err)`

			`// NB: node ID is the same, timestamp must change`
			`// (see: identity.RevocationDB#Put)`
			`time.Sleep(time.Second)`
			`_, newRevocation, err := testpeertls.RevokeLeaf(keys[0], chain)`
			`require.NoError(t, err)`

			`assert.NotEqual(t, oldRevocation, newRevocation)`

			`err = revDB.Put(chain, newRevocation)`
			`assert.NoError(t, err)`

			`opts := &extensions.Options{RevDB: revDB}`
			`handlerFuncMap := extensions.HandlerFactories{`
			`extensions.RevocationUpdateHandler,`
			`}.WithOptions(opts)`
			`extensionsMap := tlsopts.NewExtensionsMap(chain[peertls.LeafIndex])`

			`assert.Equal(t, oldRevocation, extensionsMap[extensions.RevocationExtID.String()])`

			`err = extensionsMap.HandleExtensions(handlerFuncMap, identity.ToChains(chain))`
			`assert.Errorf(t, err, extensions.ErrRevocationTimestamp.Error())`
			`})`
			`}`